[syslog-ng]Sending source IP from syslog-ng

Michael Gehrmann syslog-ng@lists.balabit.hu
Thu, 25 Nov 2004 09:07:38 +1000


--=-A1pqWiwmxBCIeSUoYfuS
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi All,

I have seen a number of queries on a number of lists in regards to
sending the source ip address of messages that are forwarded from a
syslog-ng server.

I have found a solution! 

You need to do the following:

Enter the option --enable-spoof-source when running ./configure (This
requires libnet, use RPM for RedHat)
'make' and 'make install' syslog-ng
In your syslog-ng config add the spoof-source(yes) option to your
destination (UDP only)
e.g. destination log_host { udp("10.0.0.1" port(514) spoof_source(yes));
};

On a syslogd server (Solaris, Standard *nix) you should see the
originating host ip after the timestamp.

Hope this helps.

-- 
Michael Gehrmann

Security Administrator  
CITEC
www.citec.com.au, Your business solutions partner

--=-A1pqWiwmxBCIeSUoYfuS
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/3.0.10">
</HEAD>
<BODY>
Hi All,<BR>
<BR>
I have seen a number of queries on a number of lists in regards to sending the source ip address of messages that are forwarded from a syslog-ng server.<BR>
<BR>
I have found a solution! <BR>
<BR>
You need to do the following:<BR>
<BR>
Enter the option --enable-spoof-source when running ./configure (This requires libnet, use RPM for RedHat)<BR>
'make' and 'make install' syslog-ng<BR>
In your syslog-ng config add the spoof-source(yes) option to your destination (UDP only)<BR>
e.g. destination log_host { udp(&quot;10.0.0.1&quot; port(514) spoof_source(yes)); };<BR>
<BR>
On a syslogd server (Solaris, Standard *nix) you should see the originating host ip after the timestamp.<BR>
<BR>
Hope this helps.<BR>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<PRE>-- 
Michael Gehrmann

Security Administrator  
CITEC
www.citec.com.au, Your business solutions partner</PRE>
</TD>
</TR>
</TABLE>

</BODY>
</HTML>

--=-A1pqWiwmxBCIeSUoYfuS--