[syslog-ng]relay host address changes source hosts ip in mess
age
"Pedroche, Raśl"
syslog-ng@lists.balabit.hu
Thu, 25 Mar 2004 06:02:36 -0000
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------=_NextPartTM-000-88ceeae4-5e1b-444f-8fd0-8a30716aef74
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C4122E.C5CFEBF0"
------_=_NextPart_001_01C4122E.C5CFEBF0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Greetings,
The problem is quite simple: you have set the option =
"keep_hostname(no)"
on both
servers, which implies that syslog-ng will not trust the hostname in =
the
packet
payload, that is, the hostname by which the original server refers to
itself, and
will use reverse IP resolution to set it.
In this scenario, this means that central server will see packets =
coming
from
POP-A and will not use the hostname in the packet but the reverse IP
resolution
of the packet source IP (or the IP by itself if it can not resolve it).
You should remove the option from the central server configuration.
Regards,
Ra=FAl Pedroche=20
COLT Telecom=20
Email: raul.pedroche@colt-telecom.es=20
www.colt.net
-----Original Message-----
From: Bill [mailto:syslog-ng@gardrail.com]=20
Sent: Wednesday, March 24, 2004 9:28 PM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]relay host address changes source hosts ip in =
message
Greetings,=20
I've been tasked to setup a syslog relay network from various pops to a =
centralized syslog server for insert into a database.=20
The problem I'm running into is at the various pops, for example, lets =
call=20
the first one POP-A. At POP-A, I have syslog-ng version 1.6.0rc4 setup =
to=20
receive both udp and tcp syslog connections. It in turn, relays the =
syslog=20
messages to the central server. When I look at the incoming data on =
the=20
centralized server, the incoming data shows that the source host =
information
is being re-written with the relay hosts ip.=20
System stats are:=20
Solaris 8 intel=20
Syslog-ng 1.6.0rc4=20
POP-A configuration file follows:=20
options {=20
long_hostnames(off);=20
use_dns(no);=20
use_fqdn(no);=20
dns_cache(no);=20
check_hostname(yes);=20
keep_hostname(no);=20
chain_hostnames(no);=20
# On Solaris, log(3) truncates at 1024 chars=20
log_msg_size(8192);=20
# buffer just a little for performance=20
sync(0);=20
# memory is cheap, buffer messages unable to write (like to =
loghost)=20
log_fifo_size(10240);=20
# The time to wait before a dead connection is reestablished
(seconds)=20
time_reopen(10);=20
create_dirs(yes);=20
owner("root");=20
group("other");=20
perm(0600);=20
use_time_recvd(yes);=20
};=20
source src {=20
# This is the source of syslog.=20
# The default protocal port is 512=20
udp();=20
tcp(max-connections(1024));=20
};=20
source l_src {=20
# This is the source of syslog.=20
# This is internal messages on the local server=20
internal();=20
sun-streams("/dev/log");=20
# This is internal messages on the local server=20
};=20
destination syslogfile {=20
file(=20
"/var/log/syslogng/$HOST.log"=20
);=20
udp("1.1.1.1"); =20
};=20
filter priorityfilter {=20
priority(debug,info,notice,warning,err,crit,alert,emerg);=20
};=20
###############################################################=20
log {=20
source(src);=20
source(l_src);=20
filter(priorityfilter);=20
destination(syslogfile);=20
};=20
------------------------------------------------------=20
------------------------------------------------------=20
------------------------------------------------------=20
Server syslog-ng configuration follows:=20
------------------------------------------------------=20
------------------------------------------------------=20
------------------------------------------------------=20
options {=20
long_hostnames(yes);=20
use_dns(no);=20
use_fqdn(no);=20
dns_cache(no);=20
# dns_cache_size(500);=20
# dns_cache_expire(3600);=20
# dns_cache_expire_failed(3600);=20
# check_hostname(yes);=20
keep_hostname(no);=20
chain_hostnames(no);=20
# On Solaris, log(3) truncates at 1024 chars=20
log_msg_size(8192);=20
# buffer just a little for performance=20
sync(0);=20
# memory is cheap, buffer messages unable to write (like to =
loghost)=20
log_fifo_size(10240);=20
# The time to wait before a dead connection is reestablished
(seconds)=20
time_reopen(10);=20
create_dirs(yes);=20
owner("root");=20
group("other");=20
perm(0640);=20
use_time_recvd(yes);=20
};=20
###############################################################=20
source src {=20
# This is the source of syslog.=20
# The default protocal port is 512=20
udp();=20
# This is internal messages on the local server=20
internal();=20
};=20
source l_src {=20
sun-stream("/dev/log" door("/etc/.syslog_door"));=20
internal();=20
};=20
destination syslogfile {=20
file(=20
"/var/log/syslogng/$YEAR_$MONTH_$DAY_$HOST.log" =20
);=20
};=20
destination program1 {=20
program(=20
/path/to/uber/syslog/program.pl=20
template=20
("=A1$HOST=A1$FACILITY=A1$PRIORITY=A1$LEVEL=A1$TAG=A1$FULLDATE=A1$PROGRA=
M=A1$MSG\n")=20
template-escape(yes)=20
);=20
};=20
filter priorityfilter {=20
priority(debug,info,notice,warning,err,crit,alert,emerg);=20
};=20
filter dropsyslog {=20
not match("syslog-ng*");=20
};=20
###############################################################=20
log {=20
source(src);=20
filter(dropsyslog);=20
filter(priorityfilter);=20
destination(program1);=20
destination(syslogfile);=20
};=20
###############################################################=20
log {=20
source(l_src);=20
destination(program1);=20
destination(syslogfile);=20
};=20
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
------_=_NextPart_001_01C4122E.C5CFEBF0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [syslog-ng]relay host address changes source hosts ip in =
message</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2> Greetings,</FONT>
</P>
<P><FONT SIZE=3D2> The problem is quite simple: you have set the =
option "keep_hostname(no)" on both</FONT>
<BR><FONT SIZE=3D2>servers, which implies that syslog-ng will not trust =
the hostname in the packet</FONT>
<BR><FONT SIZE=3D2>payload, that is, the hostname by which the original =
server refers to itself, and</FONT>
<BR><FONT SIZE=3D2>will use reverse IP resolution to set it.</FONT>
</P>
<P><FONT SIZE=3D2> In this scenario, this means that central =
server will see packets coming from</FONT>
<BR><FONT SIZE=3D2>POP-A and will not use the hostname in the packet =
but the reverse IP resolution</FONT>
<BR><FONT SIZE=3D2>of the packet source IP (or the IP by itself if it =
can not resolve it).</FONT>
</P>
<P><FONT SIZE=3D2> You should remove the option from the central =
server configuration.</FONT>
</P>
<P><FONT SIZE=3D2> Regards,</FONT>
</P>
<P><FONT SIZE=3D2>Ra=FAl Pedroche </FONT>
<BR><FONT SIZE=3D2>COLT Telecom </FONT>
<BR><FONT SIZE=3D2>Email: raul.pedroche@colt-telecom.es </FONT>
<BR><FONT SIZE=3D2>www.colt.net</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Bill [<A =
HREF=3D"mailto:syslog-ng@gardrail.com">mailto:syslog-ng@gardrail.com</A>=
] </FONT>
<BR><FONT SIZE=3D2>Sent: Wednesday, March 24, 2004 9:28 PM</FONT>
<BR><FONT SIZE=3D2>To: syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=3D2>Subject: [syslog-ng]relay host address changes =
source hosts ip in message</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>Greetings, </FONT>
</P>
<P><FONT SIZE=3D2>I've been tasked to setup a syslog relay network from =
various pops to a </FONT>
<BR><FONT SIZE=3D2>centralized syslog server for insert into a =
database. </FONT>
</P>
<P><FONT SIZE=3D2>The problem I'm running into is at the various pops, =
for example, lets call </FONT>
<BR><FONT SIZE=3D2>the first one POP-A. At POP-A, I have =
syslog-ng version 1.6.0rc4 setup to </FONT>
<BR><FONT SIZE=3D2>receive both udp and tcp syslog connections. =
It in turn, relays the syslog </FONT>
<BR><FONT SIZE=3D2>messages to the central server. When I look at =
the incoming data on the </FONT>
<BR><FONT SIZE=3D2>centralized server, the incoming data shows that the =
source host information </FONT>
<BR><FONT SIZE=3D2>is being re-written with the relay hosts ip. </FONT>
</P>
<P><FONT SIZE=3D2>System stats are: </FONT>
</P>
<P><FONT SIZE=3D2>Solaris 8 intel </FONT>
<BR><FONT SIZE=3D2>Syslog-ng 1.6.0rc4 </FONT>
</P>
<P><FONT SIZE=3D2>POP-A configuration file follows: </FONT>
</P>
<P><FONT SIZE=3D2>options { </FONT>
<BR><FONT SIZE=3D2> =
long_hostnames(off); </FONT>
<BR><FONT SIZE=3D2> use_dns(no); =
</FONT>
<BR><FONT SIZE=3D2> use_fqdn(no); =
</FONT>
<BR><FONT SIZE=3D2> dns_cache(no); =
</FONT>
<BR><FONT SIZE=3D2> =
check_hostname(yes); </FONT>
<BR><FONT SIZE=3D2> =
keep_hostname(no); </FONT>
<BR><FONT SIZE=3D2> =
chain_hostnames(no); </FONT>
<BR><FONT SIZE=3D2> # On Solaris, =
log(3) truncates at 1024 chars </FONT>
<BR><FONT SIZE=3D2> =
log_msg_size(8192); </FONT>
<BR><FONT SIZE=3D2> # buffer just a =
little for performance </FONT>
<BR><FONT SIZE=3D2> sync(0); =
</FONT>
<BR><FONT SIZE=3D2> # memory is =
cheap, buffer messages unable to write (like to loghost) </FONT>
<BR><FONT SIZE=3D2> =
log_fifo_size(10240); </FONT>
<BR><FONT SIZE=3D2> # The time to =
wait before a dead connection is reestablished (seconds) </FONT>
<BR><FONT SIZE=3D2> =
time_reopen(10); </FONT>
<BR><FONT SIZE=3D2> =
create_dirs(yes); </FONT>
<BR><FONT SIZE=3D2> =
owner("root"); </FONT>
<BR><FONT SIZE=3D2> =
group("other"); </FONT>
<BR><FONT SIZE=3D2> perm(0600); =
</FONT>
<BR><FONT SIZE=3D2> =
use_time_recvd(yes); </FONT>
<BR><FONT SIZE=3D2>}; </FONT>
</P>
<P><FONT SIZE=3D2>source src { </FONT>
<BR><FONT SIZE=3D2> # This is the =
source of syslog. </FONT>
<BR><FONT SIZE=3D2> # The default =
protocal port is 512 </FONT>
<BR><FONT SIZE=3D2> udp(); </FONT>
<BR><FONT SIZE=3D2> =
tcp(max-connections(1024)); </FONT>
</P>
<P><FONT SIZE=3D2>}; </FONT>
<BR><FONT SIZE=3D2>source l_src { </FONT>
<BR><FONT SIZE=3D2> # This is the =
source of syslog. </FONT>
<BR><FONT SIZE=3D2> # This is =
internal messages on the local server </FONT>
<BR><FONT SIZE=3D2> internal(); =
</FONT>
<BR><FONT SIZE=3D2> =
sun-streams("/dev/log"); </FONT>
<BR><FONT SIZE=3D2> # This is =
internal messages on the local server </FONT>
<BR><FONT SIZE=3D2>}; </FONT>
<BR><FONT SIZE=3D2>destination syslogfile { </FONT>
<BR><FONT SIZE=3D2> file( </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; "/var/log/syslogng/$HOST.log" </FONT>
<BR><FONT SIZE=3D2> ); </FONT>
<BR><FONT SIZE=3D2> =
udp("1.1.1.1");  =
; </FONT>
<BR><FONT SIZE=3D2>}; </FONT>
<BR><FONT SIZE=3D2>filter priorityfilter { </FONT>
<BR><FONT SIZE=3D2> =
priority(debug,info,notice,warning,err,crit,alert,emerg); </FONT>
<BR><FONT SIZE=3D2>}; </FONT>
<BR><FONT =
SIZE=3D2>###############################################################=
</FONT>
<BR><FONT SIZE=3D2>log { </FONT>
<BR><FONT SIZE=3D2> source(src); =
</FONT>
<BR><FONT SIZE=3D2> source(l_src); =
</FONT>
<BR><FONT SIZE=3D2> =
filter(priorityfilter); </FONT>
<BR><FONT SIZE=3D2> =
destination(syslogfile); </FONT>
<BR><FONT SIZE=3D2>}; </FONT>
</P>
<P><FONT =
SIZE=3D2>------------------------------------------------------ </FONT>
<BR><FONT =
SIZE=3D2>------------------------------------------------------ </FONT>
<BR><FONT =
SIZE=3D2>------------------------------------------------------ </FONT>
<BR><FONT SIZE=3D2>Server syslog-ng configuration follows: </FONT>
<BR><FONT =
SIZE=3D2>------------------------------------------------------ </FONT>
<BR><FONT =
SIZE=3D2>------------------------------------------------------ </FONT>
<BR><FONT =
SIZE=3D2>------------------------------------------------------ </FONT>
</P>
<P><FONT SIZE=3D2>options { </FONT>
<BR><FONT SIZE=3D2> =
long_hostnames(yes); </FONT>
<BR><FONT SIZE=3D2> use_dns(no); =
</FONT>
<BR><FONT SIZE=3D2> use_fqdn(no); =
</FONT>
<BR><FONT SIZE=3D2> dns_cache(no); =
</FONT>
<BR><FONT SIZE=3D2># =
dns_cache_size(500); </FONT>
<BR><FONT SIZE=3D2># =
dns_cache_expire(3600); </FONT>
<BR><FONT SIZE=3D2># =
dns_cache_expire_failed(3600); </FONT>
<BR><FONT SIZE=3D2># =
check_hostname(yes); </FONT>
<BR><FONT SIZE=3D2> =
keep_hostname(no); </FONT>
<BR><FONT SIZE=3D2> =
chain_hostnames(no); </FONT>
<BR><FONT SIZE=3D2> # On Solaris, =
log(3) truncates at 1024 chars </FONT>
<BR><FONT SIZE=3D2> =
log_msg_size(8192); </FONT>
<BR><FONT SIZE=3D2> # buffer just a =
little for performance </FONT>
<BR><FONT SIZE=3D2> sync(0); =
</FONT>
<BR><FONT SIZE=3D2> # memory is =
cheap, buffer messages unable to write (like to loghost) </FONT>
<BR><FONT SIZE=3D2> =
log_fifo_size(10240); </FONT>
<BR><FONT SIZE=3D2> # The time to =
wait before a dead connection is reestablished (seconds) </FONT>
<BR><FONT SIZE=3D2> =
time_reopen(10); </FONT>
<BR><FONT SIZE=3D2> =
create_dirs(yes); </FONT>
<BR><FONT SIZE=3D2> =
owner("root"); </FONT>
<BR><FONT SIZE=3D2> =
group("other"); </FONT>
<BR><FONT SIZE=3D2> perm(0640); =
</FONT>
<BR><FONT SIZE=3D2> =
use_time_recvd(yes); </FONT>
<BR><FONT SIZE=3D2>}; </FONT>
<BR><FONT =
SIZE=3D2>###############################################################=
</FONT>
<BR><FONT SIZE=3D2>source src { </FONT>
<BR><FONT SIZE=3D2> # This is the =
source of syslog. </FONT>
<BR><FONT SIZE=3D2> # The default =
protocal port is 512 </FONT>
<BR><FONT SIZE=3D2> udp(); </FONT>
<BR><FONT SIZE=3D2> # This is =
internal messages on the local server </FONT>
<BR><FONT SIZE=3D2> internal(); =
</FONT>
<BR><FONT SIZE=3D2>}; </FONT>
</P>
<P><FONT SIZE=3D2>source l_src { </FONT>
<BR><FONT SIZE=3D2> =
sun-stream("/dev/log" door("/etc/.syslog_door")); =
</FONT>
<BR><FONT SIZE=3D2> internal(); =
</FONT>
<BR><FONT SIZE=3D2>}; </FONT>
</P>
<P><FONT SIZE=3D2>destination syslogfile { </FONT>
<BR><FONT SIZE=3D2> file( </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
"/var/log/syslogng/$YEAR_$MONTH_$DAY_$HOST.log" &nb=
sp; </FONT>
<BR><FONT SIZE=3D2> ); </FONT>
</P>
<P><FONT SIZE=3D2>}; </FONT>
</P>
<P><FONT SIZE=3D2>destination program1 { </FONT>
<BR><FONT SIZE=3D2> program( =
</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; /path/to/uber/syslog/program.pl </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; template </FONT>
<BR><FONT =
SIZE=3D2>("=A1$HOST=A1$FACILITY=A1$PRIORITY=A1$LEVEL=A1$TAG=A1$FULL=
DATE=A1$PROGRAM=A1$MSG\n") </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; template-escape(yes) </FONT>
<BR><FONT SIZE=3D2> ); </FONT>
<BR><FONT SIZE=3D2>}; </FONT>
</P>
<P><FONT SIZE=3D2>filter priorityfilter { </FONT>
<BR><FONT SIZE=3D2> =
priority(debug,info,notice,warning,err,crit,alert,emerg); </FONT>
<BR><FONT SIZE=3D2>}; </FONT>
<BR><FONT SIZE=3D2>filter dropsyslog { </FONT>
<BR><FONT SIZE=3D2> not =
match("syslog-ng*"); </FONT>
<BR><FONT SIZE=3D2>}; </FONT>
<BR><FONT =
SIZE=3D2>###############################################################=
</FONT>
<BR><FONT SIZE=3D2>log { </FONT>
<BR><FONT SIZE=3D2> source(src); =
</FONT>
<BR><FONT SIZE=3D2> =
filter(dropsyslog); </FONT>
<BR><FONT SIZE=3D2> =
filter(priorityfilter); </FONT>
<BR><FONT SIZE=3D2> =
destination(program1); </FONT>
<BR><FONT SIZE=3D2> =
destination(syslogfile); </FONT>
<BR><FONT SIZE=3D2>}; </FONT>
<BR><FONT =
SIZE=3D2>###############################################################=
</FONT>
<BR><FONT SIZE=3D2>log { </FONT>
<BR><FONT SIZE=3D2> source(l_src); =
</FONT>
<BR><FONT SIZE=3D2> =
destination(program1); </FONT>
<BR><FONT SIZE=3D2> =
destination(syslogfile); </FONT>
<BR><FONT SIZE=3D2>}; </FONT>
</P>
<P><FONT =
SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>syslog-ng maillist - =
syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"https://lists.balabit.hu/mailman/listinfo/syslog-ng" =
TARGET=3D"_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A=
></FONT>
<BR><FONT SIZE=3D2>Frequently asked questions at <A =
HREF=3D"http://www.campin.net/syslog-ng/faq.html" =
TARGET=3D"_blank">http://www.campin.net/syslog-ng/faq.html</A></FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C4122E.C5CFEBF0--
------=_NextPartTM-000-88ceeae4-5e1b-444f-8fd0-8a30716aef74--