Host/IP Macros in relay chains
Question on Host/IP Macros in relay chains. Is there a way to present the original sender IP on a final relay in a chain of several relays ? With hostname, the FULLHOST and HOST macros are capable of doing this (with tuning of keep_hostname() and chain_hostnames() ) Their corresponding FULLHOST_FROM and HOST_FROM marcos exhibit the same behaviours as the SOURCEIP macro in the sense that they only provide the NAME/IP of the previous relay . I have read Michael Gehrmann's post " https://lists.balabit.hu/pipermail/syslog-ng/2004-November/006695.html " which discusses the compile time option "--enable-spoof-source" feature which spoofs the sourceip using UDP but this doesn't really help as I need to use tcp and retain the relay's source (firewalls in the chain). Presumably this setting would also be required on all members of the relay chain. I guess I am really looking for an alternative way to achieve similar effect to Michael's solution using the first (original) entry in the chain (rather than spoofing the last entry in the chain at all points through the chain) however to force an IP from the original sender's entry in the chain (Reverse/PTR DNS resolution perhaps ??). What HOST_FROM is-to HOST, SOURCEIP is-to what I want. Does anyone know whether this is currently possible (or pipeline development) ? Maybe in the premium version (although I can't see it documented there either)??? Thanks, Philip Excerpts from the syslog-ng-v2.0 admin guide (section 9.5 Macros) FULLHOST: The full FQDN of the host name chain (without trimming chained hosts), including the domain name. To use this macro, make sure that the keep_hostname() option is enabled. FULLHOST_FROM: FQDN of the host that sent the message to syslog-ng as resolved by syslogng using DNS. If the message traverses several hosts, this is the last host in the chain. To use this macro, make sure that the keep_hostname() option is enabled. HOST: The name of the source host where the message originates from. If the message traverses several hosts and the chain_hostnames() option is on, the first host in the chain is used. To use this macro, make sure that the keep_hostname() option is enabled. HOST_FROM: Name of the host that sent the message to syslog-ng, as resolved by syslogng using DNS. If the message traverses several hosts, this is the last host in the chain. To use this macro, make sure that the keep_hostname() option is enabled. SOURCEIP: IP address of the host that sent the message to syslog-ng. (I.e. the IP address of the host in the FULLHOST_FROM macro.) Please note that when a message traverses several relays, this macro contains the IP of the last relay. ============================================================================== Please access the attached hyperlink for an important electronic communications disclaimer: http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html ==============================================================================
Hi,
Question on Host/IP Macros in relay chains.
Is there a way to present the original sender IP on a final relay in a chain of several relays ?
When the sender sends its IP address instead of its hostname (or you use templates on the first relay which uses SOURCEIP instead of HOST) then the IP address should get preserved in the hostname field.
With hostname, the FULLHOST and HOST macros are capable of doing this (with tuning of keep_hostname() and chain_hostnames() )
AFAIK keep_hostname() excludes the effect of chain_hostnames(), so chain_hostnames() doesn't work here.
Their corresponding FULLHOST_FROM and HOST_FROM marcos exhibit the same behaviours as the SOURCEIP macro in the sense that they only provide the NAME/IP of the previous relay .
More precisely the _FROM macros use the remote end of the transport the log arrived on. Not the originating host when there are relays!
I have read Michael Gehrmann's post " https://lists.balabit.hu/pipermail/syslog-ng/2004-November/006 695.html <https://lists.balabit.hu/pipermail/syslog-ng/2004-> November/006695.html> " which discusses the compile time option "--enable-spoof-source" feature which spoofs the sourceip using UDP but this doesn't really help as I need to use tcp and retain the relay's source (firewalls in the chain). Presumably this setting would also be required on all members of the relay chain.
You can use templates on the relays, and prepend/append the last hop to the hostname part to mimic the effect of chain_hostnames. I'm not familiar with syslog-ng 3.0, but I guess it's easier to rewrite logs with that version.
I guess I am really looking for an alternative way to achieve similar effect to Michael's solution using the first (original) entry in the chain (rather than spoofing the last entry in the chain at all points through the chain) however to force an IP from the original sender's entry in the chain (Reverse/PTR DNS resolution perhaps ??).
What HOST_FROM is-to HOST, SOURCEIP is-to what I want.
HOST and HOST_FROM are quite different as described above. hth, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
Sandor, Thanks for your comments and useful suggestions. The requirement is somewhat complicated in that at a point along the chain, I need to have the originating hostname for host filtering purposes, whereas at the end of the chain, I need syslog-ng to present the IP. That's why I began talking about reverse name resolution on the last relay. Regards Philip -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Geller, Sandor (IT) Sent: 09 January 2009 10:14 To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Host/IP Macros in relay chains Hi,
Question on Host/IP Macros in relay chains.
Is there a way to present the original sender IP on a final relay in a
chain of several relays ?
When the sender sends its IP address instead of its hostname (or you use templates on the first relay which uses SOURCEIP instead of HOST) then the IP address should get preserved in the hostname field.
With hostname, the FULLHOST and HOST macros are capable of doing this (with tuning of keep_hostname() and chain_hostnames() )
AFAIK keep_hostname() excludes the effect of chain_hostnames(), so chain_hostnames() doesn't work here.
Their corresponding FULLHOST_FROM and HOST_FROM marcos exhibit the same behaviours as the SOURCEIP macro in the sense that they only provide the NAME/IP of the previous relay .
More precisely the _FROM macros use the remote end of the transport the log arrived on. Not the originating host when there are relays!
I have read Michael Gehrmann's post " https://lists.balabit.hu/pipermail/syslog-ng/2004-November/006 695.html <https://lists.balabit.hu/pipermail/syslog-ng/2004-> November/006695.html> " which discusses the compile time option "--enable-spoof-source" feature which spoofs the sourceip using UDP but this doesn't really help as I need to use tcp and retain the relay's source (firewalls in the chain). Presumably this setting would also be required on all members of the relay chain.
You can use templates on the relays, and prepend/append the last hop to the hostname part to mimic the effect of chain_hostnames. I'm not familiar with syslog-ng 3.0, but I guess it's easier to rewrite logs with that version.
I guess I am really looking for an alternative way to achieve similar effect to Michael's solution using the first (original) entry in the chain (rather than spoofing the last entry in
the chain at all points through the chain) however to force an IP from the original sender's entry in the chain (Reverse/PTR DNS resolution perhaps ??).
What HOST_FROM is-to HOST, SOURCEIP is-to what I want.
HOST and HOST_FROM are quite different as described above. hth, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. ________________________________________________________________________ ______ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html ============================================================================== Please access the attached hyperlink for an important electronic communications disclaimer: http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html ==============================================================================
On Fri, 2009-01-09 at 10:46 +0000, Pennington, Philip wrote:
Sandor,
Thanks for your comments and useful suggestions.
The requirement is somewhat complicated in that at a point along the chain, I need to have the originating hostname for host filtering purposes, whereas at the end of the chain, I need syslog-ng to present the IP. That's why I began talking about reverse name resolution on the last relay.
well, with syslog-ng 3.0 and parse/rewrite you could probably encode all the needed information into the message payload and the change it back at the endpoints. see my blog about parse/rewrite capabilities: http://bazsi.blogs.balabit.com/2008/10/syslog-ng-message-parsing.html or the what's new document: http://www.balabit.com/dl/guides/syslog-ng-v3.0-guide-whatsnew-en.pdf the open source version of syslog-ng 3.0 is already released, although the official announcement is still due. -- Bazsi
participants (3)
-
Balazs Scheidler
-
Geller, Sandor (IT)
-
Pennington, Philip