Hi! I am trying to work out if syslog-ng can act as a relay without doing "noticeable" changes to the syslog message in terms of what the syslog server sees. The problem: 1) The device sends non-standard syslog messages 2) The syslog needs to go to 2 end systems, the device supports 1 3) One of the end devices needs to receive the syslog in exactly the same for as originally sent by the device So, I have been trying destinations as follows: destination d_remote { udp("X.X.X.X" port(514) spoof_source(yes) template("$MESSAGE\n")); udp("Y.Y.Y.Y" port(514) spoof_source(yes) template("$MESSAGE\n")); }; I have also tried various combinations having "template" and adding FACILITY and LEVEL, but I am current failing to reproduce the original packet. My results: Template Result ========================================== None Relayed message has standard date and hostname added which weren't in original package. $MESSAGE\n Syslog facility and priority headers are stripped away from relayed messages. Adding $FACILITY and $LEVEL/$PRIORITY doesn't seem to do what I need as they don't appear to go into the right fields, and syslog-ng appears to put KERN.EMERG in instead... The version I am running on is 2.0.4. If anyone has managed to get this working like this, I would be grateful of any pointers. Thanks, Joel
Hi, Moxey, Joel, VF UK - Technology (TS) <Joel.Moxey@vodafone.com> [20070619 10:14:24 +0100]:
Hi!
I am trying to work out if syslog-ng can act as a relay without doing "noticeable" changes to the syslog message in terms of what the syslog server sees.
I would be more inclinded to probably consider using netcat[1]. You probably could do something like (I might have this wrong though, its called a 'netcat relay'): $ mknod transferpipe p $ nc -u <dest-ip> 514 < transferpipe | nc -u -l -p 514 > transferpipe Cheers Alex [1] http://www.securitydocs.com/library/3376
The problem:
1) The device sends non-standard syslog messages 2) The syslog needs to go to 2 end systems, the device supports 1 3) One of the end devices needs to receive the syslog in exactly the same for as originally sent by the device
So, I have been trying destinations as follows:
destination d_remote { udp("X.X.X.X" port(514) spoof_source(yes) template("$MESSAGE\n")); udp("Y.Y.Y.Y" port(514) spoof_source(yes) template("$MESSAGE\n")); };
I have also tried various combinations having "template" and adding FACILITY and LEVEL, but I am current failing to reproduce the original packet.
My results:
Template Result ========================================== None Relayed message has standard date and hostname added which weren't in original package. $MESSAGE\n Syslog facility and priority headers are stripped away from relayed messages.
Adding $FACILITY and $LEVEL/$PRIORITY doesn't seem to do what I need as they don't appear to go into the right fields, and syslog-ng appears to put KERN.EMERG in instead...
The version I am running on is 2.0.4.
If anyone has managed to get this working like this, I would be grateful of any pointers.
Thanks,
Joel
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Hi, Sorry ignore all that, got distracted by your first paragraph, should have read on, my mistake. "As you were..." Regards Alex Alexander Clouter <ac56@soas.ac.uk> [20070619 10:48:20 +0100]:
Hi,
Moxey, Joel, VF UK - Technology (TS) <Joel.Moxey@vodafone.com> [20070619 10:14:24 +0100]:
Hi!
I am trying to work out if syslog-ng can act as a relay without doing "noticeable" changes to the syslog message in terms of what the syslog server sees.
I would be more inclinded to probably consider using netcat[1]. You probably could do something like (I might have this wrong though, its called a 'netcat relay'):
$ mknod transferpipe p $ nc -u <dest-ip> 514 < transferpipe | nc -u -l -p 514 > transferpipe
Cheers
Alex
[1] http://www.securitydocs.com/library/3376
The problem:
1) The device sends non-standard syslog messages 2) The syslog needs to go to 2 end systems, the device supports 1 3) One of the end devices needs to receive the syslog in exactly the same for as originally sent by the device
So, I have been trying destinations as follows:
destination d_remote { udp("X.X.X.X" port(514) spoof_source(yes) template("$MESSAGE\n")); udp("Y.Y.Y.Y" port(514) spoof_source(yes) template("$MESSAGE\n")); };
I have also tried various combinations having "template" and adding FACILITY and LEVEL, but I am current failing to reproduce the original packet.
My results:
Template Result ========================================== None Relayed message has standard date and hostname added which weren't in original package. $MESSAGE\n Syslog facility and priority headers are stripped away from relayed messages.
Adding $FACILITY and $LEVEL/$PRIORITY doesn't seem to do what I need as they don't appear to go into the right fields, and syslog-ng appears to put KERN.EMERG in instead...
The version I am running on is 2.0.4.
If anyone has managed to get this working like this, I would be grateful of any pointers.
Thanks,
Joel
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Hi!
I am trying to work out if syslog-ng can act as a relay without doing "noticeable" changes to the syslog message in terms of what the syslog server sees.
The problem:
1) The device sends non-standard syslog messages
That might be a problem. You should try using the flags(no-parse); option in your source definition, however if you want to use macros then you'll be in trouble
2) The syslog needs to go to 2 end systems, the device supports 1
shouldn't be a problem
3) One of the end devices needs to receive the syslog in exactly the same for as originally sent by the device
might be tricky...
So, I have been trying destinations as follows:
destination d_remote { udp("X.X.X.X" port(514) spoof_source(yes) template("$MESSAGE\n")); udp("Y.Y.Y.Y" port(514) spoof_source(yes) template("$MESSAGE\n")); };
Instead of this you should use two different destination definitions: destination d_remote_one { ... }; destination d_remote_two { ... }; and later log { source(...); filter(...); destination(d_remote_one); destination(d_remote_two); };
I have also tried various combinations having "template" and adding FACILITY and LEVEL, but I am current failing to reproduce the original packet.
My results:
Template Result ========================================== None Relayed message has standard date and hostname added which weren't in original package.
that might happen even when you disable parsing of the message
$MESSAGE\n Syslog facility and priority headers are stripped away from relayed messages.
try using template("<$M_PRI> $MESSAGE\n");
Adding $FACILITY and $LEVEL/$PRIORITY doesn't seem to do what I need as they don't appear to go into the right fields, and syslog-ng appears to put KERN.EMERG in instead...
The first part of the message defines the facility/priority. Using macros you should use <$M_PRI> , however this depends on the parsing of the message... I think the really authorative answer to your questions might come from Bazsi, so you should wait for his answer :) Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
On Tue, 2007-06-19 at 10:50 +0100, Geller, Sandor (IT) wrote:
So, I have been trying destinations as follows:
destination d_remote { udp("X.X.X.X" port(514) spoof_source(yes) template("$MESSAGE\n")); udp("Y.Y.Y.Y" port(514) spoof_source(yes) template("$MESSAGE\n")); };
Instead of this you should use two different destination definitions:
destination d_remote_one { ... };
destination d_remote_two { ... };
and later
log { source(...); filter(...); destination(d_remote_one); destination(d_remote_two); };
Organizing destinations is a matter of preference, so this is not strictly required.
$MESSAGE\n Syslog facility and priority headers are stripped away from relayed messages.
try using template("<$M_PRI> $MESSAGE\n");
M_PRI is not a valid macro, the above format should be written as "<$PRI> $MESSAGE\n", M_PRI is the internal identifier for that macro. Please note that PRIORITY and PRI are not the same. "PRI" denotes the PRI field of the syslog header, which is comprised of a FACILITY and a LEVEL value. PRIORITY is an alias for LEVEL. Sorry for the confusing names. Partly this is caused by compatibility with older versions of syslog-ng. If the incoming message at least resembles to a syslog message (e.g. it has a proper PRI heading), then you could use the template defined above. If it does not, you could still use the no-parse flag for your input, and "$MESSAGE\n" as output template. -- Bazsi
Thank you very much... that works very well indeed... Summary of config: source s_remote { udp(ip(0.0.0.0) port(514) flags(no-parse)); }; destination d_one { udp("X.X.X.X" port(514) spoof_source(yes) template("$MESSAGE\n") template-escape(no)); }; destination d_two { udp("Y.Y.Y.Y" port(514) spoof_source(yes) template("$MESSAGE\n") template-escape(no)); }; log { source(s_local); destination(d_one); destination(d_two) }; I added the template-escape as I found that some " were being escaped - changing the original message slightly. Joel -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: 19 June 2007 12:19 pm To: Syslog-ng users' and developers' mailing list Subject: RE: [syslog-ng] syslog-ng as a relay On Tue, 2007-06-19 at 10:50 +0100, Geller, Sandor (IT) wrote:
So, I have been trying destinations as follows:
destination d_remote { udp("X.X.X.X" port(514) spoof_source(yes) template("$MESSAGE\n")); udp("Y.Y.Y.Y" port(514) spoof_source(yes) template("$MESSAGE\n")); };
Instead of this you should use two different destination definitions:
destination d_remote_one { ... };
destination d_remote_two { ... };
and later
log { source(...); filter(...); destination(d_remote_one); destination(d_remote_two); };
Organizing destinations is a matter of preference, so this is not strictly required.
$MESSAGE\n Syslog facility and priority headers are stripped away from relayed messages.
try using template("<$M_PRI> $MESSAGE\n");
M_PRI is not a valid macro, the above format should be written as "<$PRI> $MESSAGE\n", M_PRI is the internal identifier for that macro. Please note that PRIORITY and PRI are not the same. "PRI" denotes the PRI field of the syslog header, which is comprised of a FACILITY and a LEVEL value. PRIORITY is an alias for LEVEL. Sorry for the confusing names. Partly this is caused by compatibility with older versions of syslog-ng. If the incoming message at least resembles to a syslog message (e.g. it has a proper PRI heading), then you could use the template defined above. If it does not, you could still use the no-parse flag for your input, and "$MESSAGE\n" as output template. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
participants (4)
-
Alexander Clouter
-
Balazs Scheidler
-
Geller, Sandor (IT)
-
Moxey, Joel, VF UK - Technology (TS)