Thanks, yes this was my first guess. Anyway, due to too much (potential) of unexpected behavior of using spoofed address I dropped this idea. I'm trying to make a syslog-ng relay server (of 4-5 different Cisco devices) to forward logs to Logstash server. Somehow i need to save SOURCE IP address of every log and add it to message when forwarding to syslog server. Is it possible ? Could someone show some guidelines ? The best way to leave the message untouched, just to add some field to syslog message (for example the end). Thanks On Thu, Apr 9, 2020 at 11:09 AM Antal Nemes (anemes) < Antal.Nemes@oneidentity.com> wrote:
Hello,
There is `rp_filter` kernel feature that might affect you: https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/ Or this may be other routing problem, firewall or selinux.
It would worth checking if the packet arrives to the next hop using tcpdump.
Br, Antal ------------------------------ *From:* syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Edvinas Kairys <edvinas.email@gmail.com> *Sent:* Wednesday, April 8, 2020 19:57 *To:* syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> *Subject:* [syslog-ng] mystique with spoof_address
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hello, i installed (yum install) following version on Centos 7 box.
syslog-ng 3.5.6 Installer-Version: 3.5.6 Revision: Compile-Date: Dec 30 2015 19:57:24 Available-Modules: affile,afprog,afsocket-notls,afsocket-tls,afsocket,afstomp,afuser,basicfuncs,confgen,cryptofuncs,csvparser,dbparser,linux-kmsg-format,syslogformat,system-source Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Pcre: on
My goal is to forward syslog messages 'untouched' but to change the source address to original one. For that case i'm using spoof-address.
My conf is like this:
options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (no); mark-freq (0); }; source s_network { udp(ip(0.0.0.0) port(514) flags(no-parse));
}; destination d_syslog_tcp { network("10.13.33.125" transport("udp") port(5140) spoof-source(yes)); }; log { source(s_network); destination(d_syslog_tcp); }; log { source(s_network); filter(f_default); destination(d_mesg); }; # Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
Strange thing, that when I enable spoof-source, some packets are not transmitted to the destination. Even TCPDUMP says that it's sent, but i dont see some logs on destination box. Could it be something with spoof_source command ? Also i didn't compiled it because i saw that SPOOF functionality is on in syslog-ng -V output.
Any suggestions ?
Thanks
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq