Can some servers only be allowed to chained?
I have a central syslog server. destination d_messages { template("$R_ISODATE $HOST $FACILITY $PRIORITY $MSG\n") ... I also have some DMZes and complex firewall configs that make it not practical (or secure) to open up incoming connections from all the syslog clients back to the server. So instead, each of these "complex" areas has a syslog server in it that all the others in that subnet talk to via UDP. That one syslog server then talks to the central server via TCP - leading to one server with all syslog records. This all works fine, but I have to "chain_hostnames(yes)" for that to work. What I want is the UDP source on the central server to be that it does the PTR thing to figure out what $HOST is - i.e. "chain_hostnames(no)". For TCP only, "chain_hostnames(yes)". Then I can use netfilter to limit who can TCP to the server, etc. Can that be done? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
On Fri, May 02, 2003 at 09:51:48AM +1200, Jason Haar wrote:
What I want is the UDP source on the central server to be that it does the PTR thing to figure out what $HOST is - i.e. "chain_hostnames(no)". For TCP only, "chain_hostnames(yes)". Then I can use netfilter to limit who can TCP to the server, etc.
Jason, You might have worked out a solution by now, but could you try to explain what you're trying to do here in different language? -- Nate Campi http://www.campin.net
Nate Campi wrote:
On Fri, May 02, 2003 at 09:51:48AM +1200, Jason Haar wrote:
Jason,
You might have worked out a solution by now, but could you try to explain what you're trying to do here in different language?
No I haven't - so I'm more than happy to re-phrase :-) I have an environment whereby there is a hierarchy of syslog servers. Clients in each subnet feed to a "central subnet" syslog server, then those subnet servers feed to the Central Syslog Server (CSS). The reasoning is complex - but firewalls and ACL management of those firewalls is part of the reason behind this "layering". What I want is that each "subnet server" is talked to by it's subnet's standard syslog clients via UDP, and that its template is such that it ignores the hostname the client claims to be, and instead resolves that itself. However, the "subnet servers" talk to the CSS over TCP, and it has to trust the hostnames given by the "subnet servers"- otherwise that would break those "proxied" records. The above I can do fine. The problem is that the CSS is *also* the "subnet server" for the LAN it's on - so it needs to support UDP,etc. So my question is: can it "trust" the hostname provided by TCP-based syslog servers, and do a PTR lookup on the ones provided via UDP. From what I can see in syslog-ng - it can't. Thanks! Jason
On Tue, May 13, 2003 at 07:33:54PM +1200, Jason Haar wrote:
So my question is: can it "trust" the hostname provided by TCP-based syslog servers, and do a PTR lookup on the ones provided via UDP. From what I can see in syslog-ng - it can't.
I do the exact same thing as you, and now I understand your setup. Basically, I ended up having to choose between running a second syslog-ng on the central host with different hostname options or using a second host on the same subnet. Basically, until you can do per-source hostname options you're out of luck. -- Nate Campi http://www.campin.net
Nate Campi wrote:
Basically, I ended up having to choose between running a second syslog-ng on the central host with different hostname options or using a second host on the same subnet. Basically, until you can do per-source hostname options you're out of luck.
Yeah. I already thought of running two instances - but then I'd have to have two sets of destinations too wouldn't I? I doubt two instances of syslog-ng could write to /var/log/messages simultaneously... Jason
On Wed, May 21, 2003 at 10:16:52PM +1200, Jason Haar wrote:
Nate Campi wrote:
Basically, I ended up having to choose between running a second syslog-ng on the central host with different hostname options or using a second host on the same subnet. Basically, until you can do per-source hostname options you're out of luck.
Yeah. I already thought of running two instances - but then I'd have to have two sets of destinations too wouldn't I? I doubt two instances of syslog-ng could write to /var/log/messages simultaneously...
No silly, the second one is simply a relay that does the hostname replacement and sends on to the second one that trusts hostnames. The first does no writing to any files. -- Nate Campi http://www.campin.net
Nate Campi wrote:
Yeah. I already thought of running two instances - but then I'd have to have two sets of destinations too wouldn't I? I doubt two instances of syslog-ng could write to /var/log/messages simultaneously...
No silly, the second one is simply a relay that does the hostname replacement and sends on to the second one that trusts hostnames. The first does no writing to any files.
Well Duh! Do I feel stupid :-) Great idea. Simple and doesn't require patching. Thanks for the tip Jason
participants (2)
-
Jason Haar
-
Nate Campi