[syslog-ng] Host/IP Macros in relay chains

Geller, Sandor (IT) Sandor.Geller at morganstanley.com
Fri Jan 9 11:14:26 CET 2009


> Question on Host/IP Macros in relay chains. 
> Is there a way to present the original sender IP on a final 
> relay in a chain of several relays ? 

When the sender sends its IP address instead of its hostname
(or you use templates on the first relay which uses SOURCEIP
instead of HOST) then the IP address should get preserved in
the hostname field.

> With hostname, the FULLHOST and HOST macros are capable of 
> doing this (with tuning  of keep_hostname() and chain_hostnames() ) 

AFAIK keep_hostname() excludes the effect of chain_hostnames(),
so chain_hostnames() doesn't work here.

> Their corresponding FULLHOST_FROM and HOST_FROM marcos 
> exhibit the same behaviours as the SOURCEIP macro in the 
> sense that they only provide the NAME/IP of the previous relay .

More precisely the _FROM macros use the remote end of the
transport the log arrived on. Not the originating host when
there are relays!

> I have read Michael Gehrmann's post  " 
> https://lists.balabit.hu/pipermail/syslog-ng/2004-November/006
695.html <https://lists.balabit.hu/pipermail/syslog-ng/2004-> November/006695.html>  " 
> which discusses the compile time option 
> "--enable-spoof-source" feature which spoofs the sourceip 
> using UDP but this doesn't really help as I need to use tcp 
> and retain the relay's source (firewalls in the chain).   
> Presumably this setting would also be required on all members 
> of the relay chain.

You can use templates on the relays, and prepend/append the last
hop to the hostname part to mimic the effect of chain_hostnames.
I'm not familiar with syslog-ng 3.0, but I guess it's easier to
rewrite logs with that version.

> I guess I am really looking for an alternative way to achieve 
> similar effect to Michael's solution using the first 
> (original) entry  in the chain (rather than spoofing the last 
> entry in the chain at all points through the chain)  however 
> to force an IP from the original sender's entry in the chain 
> (Reverse/PTR DNS resolution perhaps ??). 
> What HOST_FROM is-to HOST, SOURCEIP is-to  what I want. 

HOST and HOST_FROM are quite different as described above.



NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.

More information about the syslog-ng mailing list