[syslog-ng] Chained changing IP addresses to FQDN

Christopher Barry christopher.barry at rackwareinc.com
Mon Dec 28 00:51:40 CET 2009


On Sun, 2009-12-27 at 12:41 -0500, Jason Carr wrote:
> Our security team wants IP addresses from the packet for SIEM tools among other things and the sysadmins want FQDN instead of IP addresses since they know machines by hostname not IP.  Each team would have their own storage server.
> 
> On Dec 27, 2009, at 12:21 AM, Christopher Barry wrote:
> 
> > On Tue, 2009-12-22 at 15:28 -0500, Jason Carr wrote:
> >> Hello,
> >> 
> >> I have a syslog infrastructure using syslog-ng comprising of three tiers: probes that accept messages and forwards them to the broker, a broker that routes and/or duplicates messages to the appropriate storage devices, and storage devices.  All forward using the tcp("hostname"); as a destination.
> >> 
> >> Basically it looks like this:
> >> 
> >> machine1 ==udp==> +-------+          +--------+          +-----------+
> >> machine2 ==udp==> | probe | ==tcp==> | broker | ==tcp==> | storage 1 |
> >> machine3 ==udp==> +-------+          +--------+          +-----------+ 
> >>                                         ||              +-----------+
> >>                                         ++=======tcp==> | storage 2 |
> >>                                                         +-----------+
> >> 
> >> 
> >> The probes rewrite the hostname to the IP address that the packet came from using the chain_hostnames(no) and keep_hostname(no) options.  One of the requirements of one specific storage device is to change the IP addresses into hostnames.  I'm having difficulty on the storage device switching the IP address in the log message to the FQDN.  I have tried all combinations I can think of of chain_hostnames and keep_hostname and cannot seem to get the IP address replaced with the FQDN.
> >> 
> >> Is there a way to replace the IP address with the FQDN while receiving the messages from an intermediary?
> >> 
> >> Thank you,
> >> 
> >> Jason
> > 
> > uhm, don't re-write it to ip addresses in the first place? Seems
> > logical, but I may not fully understand your implementation.
> > 
> > -C

First, I'm absolutely no expert with syslog-ng, but since nobody is
piping up, I'll try to help you. Don't get upset if you go on a wild
goose chase :)

If it was me, I would see if I could do the splitting before the
conversion to all IP addresses. If this is simply not possible
architecturally, then I would look to see if syslog-ng had the ability
to route through a program as a filter (I'm betting it can, although I
can't say for sure.) If so, you could write a simple script to nslookup
or dig the IP address token in the stream, find the FQDN, and rewrite it
that way. If you do that, you'll definitely want the machine doing the
re-writing to have a good dnscache on it, so you're not going over the
wire all the time for lookups.

Other than that I have no clue. Hopefully someone with actual knowledge
can chime in now :)

-C



More information about the syslog-ng mailing list