Hi, Hoping someone has seen an easy fix for this. Sorry is it's specifically referenced somewhere I'm not seeing. Dealing with a vendor who is not able to leverage the RFC headers or TCP input. We have rsyslog relays in remote sites sending TCP/514 to syslog-ng and others locally sending directly to syslog-ng TCP/UDP 514. The devices sending directly to syslog-ng are reporting to the IDS correctly. Hosts relaying through rsyslog are showing a source address of the relay. */etc/rsyslog.d/forward.conf* *$ActionQueueFileName fwdRule1 # unique name prefix for spool files* *$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)* *$ActionQueueSaveOnShutdown on # save messages to disk on shutdown* *$ActionQueueType LinkedList # run asynchronously* *$ActionResumeRetryCount -1 # infinite retries if host is down* *# remote host is: name/ip:port, e.g. 192.168.0.1:514 <http://192.168.0.1:514>, port optional* **.* @@syslog-ngIP:514* */etc/syslog-ng/conf.d* *source s_net_tcp {tcp(ip(0.0.0.0) port(514) max-connections(300) keep_hostname(yes) so_rcvbuf(262142) log_iw_size(25000)); };* *source s_net_udp {syslog(ip(0.0.0.0) keep_hostname(yes) port(514) transport("udp") flags(no-hostname) so_rcvbuf(262142));};* *destination d_ids {network("IDSHOSTNAME" spoof_source(yes) transport(udp) port(514) flags(syslog-protocol)); };* *log { source(s_net_udp);* * channel {filter(f_ids); destination (d_ids);};* * channel {parser(pattern_db); destination (d_es);};* *};* *log { source(s_net_tcp);* * channel {filter(f_ids); destination (d_ids);};* * channel {parser(pattern_db); destination (d_es);};* *};*
Just to verify, try a tcpdump of the traffic going through relay to see what syslog-ng is receiving. Jim Sent from my Verizon, Samsung Galaxy smartphone -------- Original message --------From: Scot <scotrn@gmail.com> Date: 2/5/18 3:21 PM (GMT-05:00) To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] Rsyslog relay or syslog-ng ? Hi, Hoping someone has seen an easy fix for this. Sorry is it's specifically referenced somewhere I'm not seeing. Dealing with a vendor who is not able to leverage the RFC headers or TCP input. We have rsyslog relays in remote sites sending TCP/514 to syslog-ng and others locally sending directly to syslog-ng TCP/UDP 514. The devices sending directly to syslog-ng are reporting to the IDS correctly. Hosts relaying through rsyslog are showing a source address of the relay. /etc/rsyslog.d/forward.conf $ActionQueueFileName fwdRule1 # unique name prefix for spool files$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)$ActionQueueSaveOnShutdown on # save messages to disk on shutdown$ActionQueueType LinkedList # run asynchronously$ActionResumeRetryCount -1 # infinite retries if host is down# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional*.* @@syslog-ngIP:514 /etc/syslog-ng/conf.d source s_net_tcp {tcp(ip(0.0.0.0) port(514) max-connections(300) keep_hostname(yes) so_rcvbuf(262142) log_iw_size(25000)); };source s_net_udp {syslog(ip(0.0.0.0) keep_hostname(yes) port(514) transport("udp") flags(no-hostname) so_rcvbuf(262142));}; destination d_ids {network("IDSHOSTNAME" spoof_source(yes) transport(udp) port(514) flags(syslog-protocol)); }; log { source(s_net_udp); channel {filter(f_ids); destination (d_ids);}; channel {parser(pattern_db); destination (d_es);};}; log { source(s_net_tcp); channel {filter(f_ids); destination (d_ids);}; channel {parser(pattern_db); destination (d_es);};};
The Msg: header seems to be formatted correctly. Relabeled some data. 15:44:07.886743 IP (tos 0x10, ttl 64, id 8925, offset 0, flags [none], proto UDP (17), length 513) *RSYSLOG_RELAYIP*.58828 > *IDS_TARGETIP*.syslog: SYSLOG, length: 485 Facility local0 (16), Severity info (6) Msg: 1 2018-02-05T15:44:07-05:00 MD_FWPA01 1,2018/02/05 - - - 15:44:07,007801000484,TRAFFIC,drop,1,2018/02/05 15:44:07,10.162.57.38,172.217.3.36,0.0.0.0,0.0.0.0,Default-Deny-Log,,,not-applicable,vsys1,SOUND-Trust,SOUND-Untrust,ae2.100,,SOUND-LogForwarder,2018/02/05 15:44:07,0,1,60886,443,0,0,0x4000,udp,deny,1396,1396,0,1,2018/02/05 15:44:07,0,any,0,95104452051,0x0,10.0.0.0-10.255.255.255,US,0,1,0,policy-deny,21,12,23,0,SOUND,MD_FWPA01,from-policy\0x0a
Hmmm - looks like (maybe) the message part is not being parsed correctly at the rsyslog server - the MSG part seems to have a syslog message header including a TIMESTAMP the HOSTNAME of the originating server MD_FWPA01 followed by the rest of the MSG I may be missing something - and it might not be RFC 5424 https://tools.ietf.org/html/rfc5424 compliant - but I think the rsyslogd is wrapping the whole thing in another header before it is being sent along. Jim On Mon, Feb 5, 2018 at 3:50 PM, Scot <scotrn@gmail.com> wrote:
The Msg: header seems to be formatted correctly. Relabeled some data.
15:44:07.886743 IP (tos 0x10, ttl 64, id 8925, offset 0, flags [none], proto UDP (17), length 513) *RSYSLOG_RELAYIP*.58828 > *IDS_TARGETIP*.syslog: SYSLOG, length: 485 Facility local0 (16), Severity info (6) Msg: 1 2018-02-05T15:44:07-05:00 MD_FWPA01 1,2018/02/05 - - - 15:44:07,007801000484,TRAFFIC,drop,1,2018/02/05 15:44:07,10.162.57.38,172.217.3.36,0.0.0.0,0.0.0.0,Default- Deny-Log,,,not-applicable,vsys1,SOUND-Trust,SOUND-Untrust,ae2.100,,SOUND-LogForwarder,2018/02/05 15:44:07,0,1,60886,443,0,0,0x4000,udp,deny,1396,1396,0,1,2018/02/05 15:44:07,0,any,0,95104452051,0x0,10.0.0.0-10.255.255.255, US,0,1,0,policy-deny,21,12,23,0,SOUND,MD_FWPA01,from-policy\0x0a
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I replaced syslog-ng on the relay to work around this. On Mon, Feb 5, 2018 at 7:20 PM, Jim Hendrick <james.r.hendrick@gmail.com> wrote:
Hmmm - looks like (maybe) the message part is not being parsed correctly at the rsyslog server - the MSG part seems to have a syslog message header including a TIMESTAMP the HOSTNAME of the originating server MD_FWPA01 followed by the rest of the MSG
I may be missing something - and it might not be RFC 5424 https://tools.ietf.org/html/rfc5424 compliant - but I think the rsyslogd is wrapping the whole thing in another header before it is being sent along.
Jim
On Mon, Feb 5, 2018 at 3:50 PM, Scot <scotrn@gmail.com> wrote:
The Msg: header seems to be formatted correctly. Relabeled some data.
15:44:07.886743 IP (tos 0x10, ttl 64, id 8925, offset 0, flags [none], proto UDP (17), length 513) *RSYSLOG_RELAYIP*.58828 > *IDS_TARGETIP*.syslog: SYSLOG, length: 485 Facility local0 (16), Severity info (6) Msg: 1 2018-02-05T15:44:07-05:00 MD_FWPA01 1,2018/02/05 - - - 15:44:07,007801000484,TRAFFIC,drop,1,2018/02/05 15:44:07,10.162.57.38,172.217.3.36,0.0.0.0,0.0.0.0,Default-D eny-Log,,,not-applicable,vsys1,SOUND-Trust,SOUND-Untrust, ae2.100,,SOUND-LogForwarder,2018/02/05 15:44:07,0,1,60886,443,0,0,0x4 000,udp,deny,1396,1396,0,1,2018/02/05 15:44:07,0,any,0,95104452051,0 x0,10.0.0.0-10.255.255.255,US,0,1,0,policy-deny,21,12,23,0, SOUND,MD_FWPA01,from-policy\0x0a
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
james.r.hendrick
-
Jim Hendrick
-
Scot