[syslog-ng] Host/IP Macros in relay chains
Balazs Scheidler
bazsi at balabit.hu
Sat Jan 10 22:39:19 CET 2009
On Fri, 2009-01-09 at 16:54 -0500, Paul Robert Marino wrote:
> I have one thing to add to this.
> I know this probably goes without saying but the reverse lookup should not be reliant on DNS. It should use the the systems native name resolution. I've often seen application programed to use only DNS for reverse resolution and in many of the secure environments I've worked in hosts files are used on loggers (also bastions, and firewalls) and DNS support is removed via the nsswhich.conf to make them impervious to DNS spoofing. DNS reliance is often a deal breaker on these hosts.
syslog-ng is capable of ignoring DNS while still resolving hosts from
the local hosts file (/etc/hosts, or another with the same format)
see dns-cache(persist-only) option.
> -----Original Message-----
>
> From: Balazs Scheidler <bazsi at balabit.hu>
> Subj: Re: [syslog-ng] Host/IP Macros in relay chains
> Date: Fri Jan 9, 2009 1:09 pm
> Size: 1K
> To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
>
> On Fri, 2009-01-09 at 10:46 +0000, Pennington, Philip wrote:
> > Sandor,
> >
> >
> > Thanks for your comments and useful suggestions.
> >
> > The requirement is somewhat complicated in that at a point along the
> > chain, I need to have the originating hostname for host filtering
> > purposes, whereas at the end of the chain, I need syslog-ng to present
> > the IP. That's why I began talking about reverse name resolution on the
> > last relay.
>
> well, with syslog-ng 3.0 and parse/rewrite you could probably encode all
> the needed information into the message payload and the change it back
> at the endpoints.
>
> see my blog about parse/rewrite capabilities:
> http://bazsi.blogs.balabit.com/2008/10/syslog-ng-message-parsing.html
>
> or the what's new document:
> http://www.balabit.com/dl/guides/syslog-ng-v3.0-guide-whatsnew-en.pdf
>
> the open source version of syslog-ng 3.0 is already released, although
> the official announcement is still due.
--
Bazsi
More information about the syslog-ng
mailing list