[syslog-ng] Host/IP Macros in relay chains

Pennington, Philip philip.pennington at credit-suisse.com
Fri Jan 9 10:34:47 CET 2009


Question on Host/IP Macros in relay chains.

Is there a way to present the original sender IP on a final relay in a
chain of several relays ?

With hostname, the FULLHOST and HOST macros are capable of doing this
(with tuning  of keep_hostname() and chain_hostnames() ) 

Their corresponding FULLHOST_FROM and HOST_FROM marcos exhibit the same
behaviours as the SOURCEIP macro in the sense that they only provide the
NAME/IP of the previous relay .

I have read Michael Gehrmann's post  "
https://lists.balabit.hu/pipermail/syslog-ng/2004-November/006695.html "

which discusses the compile time option "--enable-spoof-source" feature
which spoofs the sourceip using UDP but this doesn't really help as I
need to use tcp and retain the relay's source (firewalls in the chain).
Presumably this setting would also be required on all members of the
relay chain.

I guess I am really looking for an alternative way to achieve similar
effect to Michael's solution using the first (original) entry  in the
chain (rather than spoofing the last entry in the chain at all points
through the chain)  however to force an IP from the original sender's
entry in the chain (Reverse/PTR DNS resolution perhaps ??). 

What HOST_FROM is-to HOST, SOURCEIP is-to  what I want.


Does anyone know whether this is currently possible (or pipeline
development) ? 
Maybe in the premium version (although I can't see it documented there
either)???


Thanks,

Philip



Excerpts from the syslog-ng-v2.0 admin guide (section 9.5 Macros)

FULLHOST:
The full FQDN of the host name chain (without trimming chained hosts),
including
the domain name. To use this macro, make sure that the
keep_hostname() option is enabled.

FULLHOST_FROM:
FQDN of the host that sent the message to syslog-ng as resolved by
syslogng
using DNS. If the message traverses several hosts, this is the last host
in
the chain. To use this macro, make sure that the keep_hostname() option
is enabled.

HOST:
The name of the source host where the message originates from. If the
message
traverses several hosts and the chain_hostnames() option is on,
the first host in the chain is used. To use this macro, make sure that
the
keep_hostname() option is enabled.

HOST_FROM:
Name of the host that sent the message to syslog-ng, as resolved by
syslogng
using DNS. If the message traverses several hosts, this is the last host
in
the chain. To use this macro, make sure that the keep_hostname() option
is enabled.

SOURCEIP:
IP address of the host that sent the message to syslog-ng. (I.e. the IP
address
of the host in the FULLHOST_FROM macro.) Please note that when a message
traverses several relays, this macro contains the IP of the last relay.


==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer: 

http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
==============================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090109/00cba5ae/attachment.htm 


More information about the syslog-ng mailing list