[syslog-ng] Host/IP Macros in relay chains

Paul Robert Marino prmarino1 at gmail.com
Fri Jan 9 22:54:00 CET 2009


I have one thing to add to this.
I know this probably goes without saying but the reverse lookup should not be reliant on DNS. It should use the the systems native name resolution. I've often seen application programed to use only DNS for reverse resolution and in many of the secure environments I've worked in hosts files are used  on loggers (also bastions, and firewalls) and DNS support is removed via the nsswhich.conf to make them impervious to DNS spoofing.  DNS reliance is often a deal breaker on these hosts.
-----Original Message-----

From:  Balazs Scheidler <bazsi at balabit.hu>
Subj:  Re: [syslog-ng] Host/IP Macros  in relay chains
Date:  Fri Jan 9, 2009 1:09 pm
Size:  1K
To:  Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>

On Fri, 2009-01-09 at 10:46 +0000, Pennington, Philip wrote:
> Sandor,
> 
> 
> Thanks for your comments and useful suggestions.
> 
> The requirement is somewhat complicated in that at a point along the
> chain, I need to have the originating hostname for host filtering
> purposes, whereas at the end of the chain, I need syslog-ng to present
> the IP.  That's why I began talking about reverse name resolution on the
> last relay.

well, with syslog-ng 3.0 and parse/rewrite you could probably encode all
the needed information into the message payload and the change it back
at the endpoints.

see my blog about parse/rewrite capabilities:
http://bazsi.blogs.balabit.com/2008/10/syslog-ng-message-parsing.html

or the what's new document:
http://www.balabit.com/dl/guides/syslog-ng-v3.0-guide-whatsnew-en.pdf

the open source version of syslog-ng 3.0 is already released, although
the official announcement is still due.
-- 
Bazsi


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html




More information about the syslog-ng mailing list