[syslog-ng] Chained changing IP addresses to FQDN

Jakub Jankowski shasta at toxcorp.com
Mon Dec 28 01:04:26 CET 2009 

On Monday 28 of December 2009, Christopher Barry wrote:
> > >>
> > >> I have a syslog infrastructure using syslog-ng comprising of three
> > >> tiers: probes that accept messages and forwards them to the
> > >> broker, a broker that routes and/or duplicates messages to the
> > >> appropriate storage devices, and storage devices.  All forward
> > >> using the tcp("hostname"); as a destination.
[...]
> > >> The probes rewrite the hostname to the IP address that the packet
> > >> came from using the chain_hostnames(no) and keep_hostname(no)
> > >> options.  One of the requirements of one specific storage device
> > >> is to change the IP addresses into hostnames.  I'm having
> > >> difficulty on the storage device switching the IP address in the
> > >> log message to the FQDN.  I have tried all combinations I can
> > >> think of of chain_hostnames and keep_hostname and cannot seem to
> > >> get the IP address replaced with the FQDN.
> > >>
> > >> Is there a way to replace the IP address with the FQDN while
> > >> receiving the messages from an intermediary?
> > >
> > > uhm, don't re-write it to ip addresses in the first place? Seems
> > > logical, but I may not fully understand your implementation.
> > >
> > Our security team wants IP addresses from the packet for SIEM tools
> > among other things and the sysadmins want FQDN instead of IP
> > addresses since they know machines by hostname not IP.  Each team
> > would have their own storage server.
[...]
> If it was me, I would see if I could do the splitting before the
> conversion to all IP addresses. If this is simply not possible
> architecturally, then I would look to see if syslog-ng had the ability
> to route through a program as a filter (I'm betting it can, although I
> can't say for sure.) If so, you could write a simple script to nslookup
> or dig the IP address token in the stream, find the FQDN, and rewrite
> it that way. If you do that, you'll definitely want the machine doing
> the re-writing to have a good dnscache on it, so you're not going over
> the wire all the time for lookups.

See syslog-ng admin guide, look for use_dns(). You might find persist-only 
useful, combined with dns_cache_hosts().

HTH

-- 
Jakub Jankowski|shasta at toxcorp.com|http://toxcorp.com/
GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D

More information about the syslog-ng mailing list