I have some machines behind a firewall VLAN of 10.0.240.0 sending logs to a Linux Syslog server on the 10.0.230.0 network. The 2 machines are 10.0.240.71 and 10.0.240.72 and the Syslog server is 10.0.230.222. They are Windows and I am using the Eventlog to Syslog utility from Purdue University ( https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys) to convert the Windows event logs to Syslog. Syslog is getting the information, however, any information from the 2 machines are coming in as 10.0.230.1. ------- Sep 28 11:37:54 10.0.230.1 Service Control ....... <---- This machine is actually 10.0.240.71 ------- Is there a way to get Syslog to read the correct IP information? or does Syslog simply not pass correct host information through a router? thanks, tom
On Thu, Sep 28, 2006 at 01:05:39PM -0400, Tom Valdes wrote:
I have some machines behind a firewall VLAN of 10.0.240.0 sending logs to a Linux Syslog server on the 10.0.230.0 network. The 2 machines are 10.0.240.71 and 10.0.240.72 and the Syslog server is 10.0.230.222. They are Windows and I am using the Eventlog to Syslog utility from Purdue University ( https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys) to convert the Windows event logs to Syslog.
Syslog is getting the information, however, any information from the 2 machines are coming in as 10.0.230.1. ------- Sep 28 11:37:54 10.0.230.1 Service Control ....... <---- This machine is actually 10.0.240.71 ------- Is there a way to get Syslog to read the correct IP information? or does Syslog simply not pass correct host information through a router?
This evtsys might leave out the hostname information, like Linux sysklogd or Solaris syslogd. This behavior is documented here: http://www.campin.net/syslog-ng/syslog.html If evtsys is in fact sending the hostname, use options { keep_hostname(yes); }; ...as described for a similar problem here where the source IP for the UDP/TCP packets are different from the original syslog client source: http://www.campin.net/syslog-ng/faq.html#stunnel -- Nate "We are discreet sheep; we wait to see how the drove is going, and then go with the drove." - Samuel Clemens
It looks like evtsys is not including the host name. I had already tried the "options { keep_hostname(yes); };" option without any luck. I also tried another program "ntsyslog" which gives more options (like which events to forward), but it also doesn't include the hostname. Do you know of any programs which may do what I need? If not, I'll create a seperate thread looking for something. thanks, tom On 9/28/06, Nate Campi <nate@campin.net> wrote:
On Thu, Sep 28, 2006 at 01:05:39PM -0400, Tom Valdes wrote:
I have some machines behind a firewall VLAN of 10.0.240.0 sending logs to a Linux Syslog server on the 10.0.230.0 network. The 2 machines are 10.0.240.71 and 10.0.240.72 and the Syslog server is 10.0.230.222. They are Windows and I am using the Eventlog to Syslog utility from Purdue University ( https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys) to convert the Windows event logs to Syslog.
Syslog is getting the information, however, any information from the 2 machines are coming in as 10.0.230.1. ------- Sep 28 11:37:54 10.0.230.1 Service Control ....... <---- This machine is actually 10.0.240.71 ------- Is there a way to get Syslog to read the correct IP information? or does Syslog simply not pass correct host information through a router?
This evtsys might leave out the hostname information, like Linux sysklogd or Solaris syslogd. This behavior is documented here:
http://www.campin.net/syslog-ng/syslog.html
If evtsys is in fact sending the hostname, use
options { keep_hostname(yes); };
...as described for a similar problem here where the source IP for the UDP/TCP packets are different from the original syslog client source:
http://www.campin.net/syslog-ng/faq.html#stunnel
-- Nate
"We are discreet sheep; we wait to see how the drove is going, and then go with the drove." - Samuel Clemens
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On 9/28/06, Tom Valdes <tom.valdes@gmail.com> wrote:
Do you know of any programs which may do what I need? If not, I'll create a seperate thread looking for something.
I'm using SNARE on MS-Windows machines to send event logs to syslog-ng. The source IP does appear in the logs correctly. The one annoying "feature" is that fields within events are delimited by TABs, so my logs look like this: 2006-09-28T12:16:07-0500 <user.info> 1.2.3.4 MSWinEventLog 1 System 312 Thu Sep 28 12:16:37 2006 7036 Service Control Manager Unknown User N/A Information SOMEHOST None The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state. 242 I have this destination set as template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n") Kevin
participants (3)
-
Kevin
-
Nate Campi
-
Tom Valdes