[syslog-ng] Help with spoofing hostname

[Balazs Scheidler]

On Fri, 2010-01-22 at 09:10 -0500, PAUL WILLIAMSON wrote:
> Thanks for the suggestions yesterday.  As usual, 
> there are multiple ways to solve the problem, each 
> of them equally easy!  
> 
> Now on to my next issue...
> 
> We have a product called Symantic SIM (Security Information Manager)
> that is on the receiving end of some forwarded messages.  I have 
> the keep_hostname(yes) option enabled, and when our SIM gets the 
> message, the originating hostname is in the message.  The problem is 
> that is seems like the SIM is detecting that the message is coming from 
> my loghost where Syslog-ng is installed, and tagging every message 
> like it's from that instead of the actual host.  We've been over the 
> config with their engineers and our security department, and this is what 
> we got back from Symantec today.
> 
> "The hostname is available in the message, so it looks like that part is working.  The problem is this, the message the SSIM sees is:
> 
> <TIME> <Syslog Server IP> <Message>
> 
> The SSIM then puts the syslog server IP as the source and destination of the host.  Essentially the message needs to be sent to the SSIM as:
> 
> <TIME> <Originating device Source IP> <Message>
> 
> To do this, the message will need to be spoofed."
> 
> So, I have two questions:
> 
> 1.  Can the messages be spoofed?
> 2.  Does anyone else use this product and would be willing to share configs (of either syslog-ng or SSIM).

I guess the SIEM is not using the HOST portion of the syslog message as
the originating host, but rather its source IP address, which is not the
case if you use syslog-ng in between them.

If you can use udp between your SIEM, you could perhaps use
spoof_source(yes) option on your udp destination, which will also spoof
the source IP address of each outgoing message.


-- 
Bazsi