Hi All, I have a question regarding syslog-ng and VRF. I want to read from a syslog source, which interface is in the default VRF, and send the logs to a syslog/network destination interface which is in a MGMT VRF. Can syslog-ng support this? If yes, what are the aspects I should be careful about? Thanks and regards, Alex
Hello Alex, I read a tutorial about VRF's. (To be honest I have never worked with them before.) From your current description it is not clear to me, where is syslog-ng on your network. Can you please provide some topology information? In the meantime (if my assumption is right about your use case): By default, a syslog-ng network source will listen on all available interfaces. You can specify the IP address to bind to, with the "ip()" option. Similarly network destinations will bind to "0.0.0.0" by default, which can be overwritten by the "localip()" option. Best regards, Laci ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Alexandre Santos <alexandre.rosas.santos@gmail.com> Sent: Tuesday, July 21, 2020 16:18 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] syslog-ng multiple VRF CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Hi All, I have a question regarding syslog-ng and VRF. I want to read from a syslog source, which interface is in the default VRF, and send the logs to a syslog/network destination interface which is in a MGMT VRF. Can syslog-ng support this? If yes, what are the aspects I should be careful about? Thanks and regards, Alex
Hi Laci, Thanks for your comments and help. Bellow the details of my problem! Any help is very appreciated. *So I want to read from the interface:* 20: INTRA-CH@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 08:00:27:79:1c:f5 brd ff:ff:ff:ff:ff:ff inet 127.10.10.1/22 brd 127.1.3.255 scope host INTRA-CH valid_lft forever preferred_lft forever *I want to write to the interface:* 30: EXT@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc noqueue *master MGMT* state UP group default qlen 1000 link/ether 1a:07:cf:e2:28:ca brd ff:ff:ff:ff:ff:ff inet 192.168.1.132/24 brd 192.168.1.255 scope global EXT valid_lft forever preferred_lft forever inet6 fe80::8bd5:aa6a:9510:7418/64 scope link stable-privacy valid_lft forever preferred_lft forever *syslog-ng in running as a service in Debian10.* *Configurations of syslog-ng for the source are:* source s_src { system(); internal(); syslog(ip(127.1.1.1) transport("udp") port(514) keep-alive(no)); }; *Configurations of syslog-ng for the destination are:* destination d_test1_udp { syslog("192.168.1.88" transport("udp") ip-protocol(4) port(514) keep-alive(no) localip("192.168.1.132") suppress(5) ); }; filter f_remote_test1_udp_authpriv { facility(authpriv) and level(debug .. emerg); }; filter f_remote_test1_udp_local1 { facility(local1) and level(debug .. emerg); }; filter f_remote_test1_udp_local2 { facility(local2) and level(debug .. emerg); }; filter f_remote_test1_udp_local6 { facility(local6) and level(debug .. emerg); }; filter f_remote_test1_udp { filter(f_remote_test1_udp_authpriv) or filter(f_remote_test1_udp_local1) or filter(f_remote_test1_udp_local2) or filter(f_remote_test1_udp_local6); }; log { source(s_src); filter(f_remote_test1_udp); destination(d_test1_udp); }; *I got the syslog-ng log:* *Jul 22 17:01:10 localhost syslog-ng[14253]: [2020-07-22T17:01:10.448970] WARNING: With use-dns(no), dns-cache() will be forced to 'no' too!;Jul 22 17:01:10 localhost syslog-ng[14253]: [2020-07-22T17:01:10.450299] Current position not matches to the saved cursor position, seek to head; cursor='s=eabbca1417cd46a398b5e6593d62Jul 22 17:01:10 localhost syslog-ng[14253]: [2020-07-22T17:01:10.463249] Error binding socket; addr='AF_INET(192.168.1.132:0)', error='Cannot assign requested address (99)'Jul 22 17:01:10 localhost syslog-ng[14253]: [2020-07-22T17:01:10.463974] Initiating connection failed, reconnecting; time_reopen='60'* On Wed, Jul 22, 2020 at 10:20 AM Laszlo Szemere (lszemere) < Laszlo.Szemere@oneidentity.com> wrote:
Hello Alex, I read a tutorial about VRF's. (To be honest I have never worked with them before.)
From your current description it is not clear to me, where is syslog-ng on your network. Can you please provide some topology information?
In the meantime (if my assumption is right about your use case): By default, a syslog-ng network source will listen on all available interfaces. You can specify the IP address to bind to, with the "ip()" option. Similarly network destinations will bind to "0.0.0.0" by default, which can be overwritten by the "localip()" option.
Best regards, Laci
------------------------------ *From:* syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Alexandre Santos <alexandre.rosas.santos@gmail.com> *Sent:* Tuesday, July 21, 2020 16:18 *To:* Syslog-ng users' and developers' mailing list < syslog-ng@lists.balabit.hu> *Subject:* [syslog-ng] syslog-ng multiple VRF
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hi All,
I have a question regarding syslog-ng and VRF. I want to read from a syslog source, which interface is in the default VRF, and send the logs to a syslog/network destination interface which is in a MGMT VRF.
Can syslog-ng support this? If yes, what are the aspects I should be careful about?
Thanks and regards, Alex
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Alexandre Santos
-
Laszlo Szemere (lszemere)