[syslog-ng]Source IP address incorrect
Singh, Mandeep Mr. Adnet
syslog-ng@lists.balabit.hu
Wed, 27 Oct 2004 13:38:50 -0400
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C4BC4B.D22C3C60
Content-Type: text/plain
All,
I seem to be having a common problem with forwarding syslog messages. I have
read through archives and the solution that is most popular isn't working
for me. I have a central server with is properly receiving messages from my
PIX firewalls. On that same server I have an application from Cisco with
acts like a syslogd daemon and parses PIX messages into separate categories.
Syslog-ng is listening on 514 and the Cisco product is listening on 515. My
problem is the source IP address that the Cisco application receives is the
IP address of the server not the PIX that produced it. Any help would be
greatly appreciated, below is my configuration file. Thanks in advance.
Mandeep
options { keep_hostname(yes);
chain_hostnames(no);
create_dirs(yes);
use_time_recvd(yes);
use_dns(no);
use_fqdn(no);
};
source s_external { udp(); };
destination d_firewall_file {
file("/logs/$YEAR/$MONTH/$DAY/firewall.log"
perm(0655)
dir_perm(0655));
};
destination d_firewall_Port { udp("192.168.0.1" port(515)); };
log { source(s_external); destination(d_firewall_file); };
log { source(s_external); destination(d_firewall_Port); };
------_=_NextPart_001_01C4BC4B.D22C3C60
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DUS-ASCII">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2654.89">
<TITLE>Source IP address incorrect</TITLE>
</HEAD>
<BODY>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">All,</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">I seem to be having a =
common problem with forwarding syslog messages.</FONT> <FONT SIZE=3D2 =
FACE=3D"Arial">I have read through archive</FONT><FONT SIZE=3D2 =
FACE=3D"Arial">s</FONT><FONT SIZE=3D2 FACE=3D"Arial"> and the solution =
that is most popular isn</FONT><FONT SIZE=3D2 =
FACE=3D"Arial">'</FONT><FONT SIZE=3D2 FACE=3D"Arial">t working for me. =
I have a central server with is properly receiving messages from my PIX =
firewalls. On that same server I have an application from Cisco with =
acts like a syslogd daemon and parses PIX messages into separate =
categories. Syslog-ng is listening on 514 and the Cisco product is =
listening on 515. My problem is the source IP address</FONT> <FONT =
SIZE=3D2 FACE=3D"Arial">that</FONT> <FONT SIZE=3D2 FACE=3D"Arial">the =
Cisco application receives</FONT> <FONT SIZE=3D2 FACE=3D"Arial">is =
t</FONT><FONT SIZE=3D2 FACE=3D"Arial">he IP add</FONT><FONT SIZE=3D2 =
FACE=3D"Arial">ress of the server not the PIX that produced it. Any =
help would be greatly</FONT> <FONT SIZE=3D2 =
FACE=3D"Arial">appreciated</FONT><FONT SIZE=3D2 FACE=3D"Arial">, below =
i</FONT><FONT SIZE=3D2 FACE=3D"Arial">s my configuration =
file.</FONT><FONT SIZE=3D2 FACE=3D"Arial"> Thanks in =
advance.</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Mandeep</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">options =
{ keep_hostname(yes);</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial"> &nb=
sp; chain_hostnames(no);</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial"> &nb=
sp; create_dirs(yes);</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial"> &nb=
sp; use_time_recvd(yes);</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial"> &nb=
sp; use_dns(no);</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial"> &nb=
sp; use_fqdn(no);</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial"> };</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">source =
s_external =
{ udp(); };</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">destination =
d_firewall_file =
{ =
file("/logs/$YEAR/$MONTH/$DAY/firewall.log"</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial"> &nb=
sp; &nb=
sp; =
perm(0655)</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial"> &nb=
sp; &nb=
sp; =
dir_perm(0655));</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial"> &nb=
sp; &nb=
sp; };</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">destination =
d_firewall_Port =
{ udp("</FONT><FONT SIZE=3D2 =
FACE=3D"Arial">192.168.0.1</FONT><FONT SIZE=3D2 FACE=3D"Arial">" =
port(515));</FONT> <FONT SIZE=3D2 FACE=3D"Arial"></FONT> <FONT =
SIZE=3D2 FACE=3D"Arial">};</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial">log =
{ source(s_external); =
destination(d_firewall_file); };</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial">log =
{ source(s_external); =
destination(d_firewall_Port); };</FONT></P>
</BODY>
</HTML>
------_=_NextPart_001_01C4BC4B.D22C3C60--