Hi, there's a simpler way to parse that, let me come up with a parser for you. -- Bazsi On Thu, Oct 15, 2015 at 7:28 PM, Nadine Miller <nadine.miller@defpoint.com> wrote:
I've searched through the archives and spent some time trying to find possible answers on the web, but haven't found a definitive answer.
I'm in a situation where I need to parse syslog streams being forwarded through an AWS ELB. The normal configuration of the ELB resets the source IP to be the ELB's IP address. Logs are coming from multiple AWS VPCs, and we've already discovered duplicate hostnames across different VPCs, which has mingled logs from different hosts into one receiving log file.
The ELB has another mode, referred to as "Proxy Protocol" which adds a single line to the TCP stream in the form:
PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP + single space + PROXY_IP + single space + CLIENT_PORT + single space + PROXY_PORT + "\r\n"
Example:
PROXY TCP4 198.51.100.22 203.0.113.7 35646 80\r\n
Is it possible to use this proxy line in syslog-ng to properly segregate the log messages? If so, what would be the best method to use? I've done a lot of filtering/templating with normal UDP syslog and syslog-ng, but this is the first time I've had to consider something crazy like this.
Currently there is no option at this time to change configurations at endpoints sending the syslog messages, nor can we remove the ELB.
For reference:
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable...
Thanks in advance-- =N=
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq