[syslog-ng] Help with spoofing hostname
PAUL WILLIAMSON
pwilliamson at mtb.com
Fri Jan 22 15:10:40 CET 2010
Thanks for the suggestions yesterday. As usual,
there are multiple ways to solve the problem, each
of them equally easy!
Now on to my next issue...
We have a product called Symantic SIM (Security Information Manager)
that is on the receiving end of some forwarded messages. I have
the keep_hostname(yes) option enabled, and when our SIM gets the
message, the originating hostname is in the message. The problem is
that is seems like the SIM is detecting that the message is coming from
my loghost where Syslog-ng is installed, and tagging every message
like it's from that instead of the actual host. We've been over the
config with their engineers and our security department, and this is what
we got back from Symantec today.
"The hostname is available in the message, so it looks like that part is working. The problem is this, the message the SSIM sees is:
<TIME> <Syslog Server IP> <Message>
The SSIM then puts the syslog server IP as the source and destination of the host. Essentially the message needs to be sent to the SSIM as:
<TIME> <Originating device Source IP> <Message>
To do this, the message will need to be spoofed."
So, I have two questions:
1. Can the messages be spoofed?
2. Does anyone else use this product and would be willing to share configs (of either syslog-ng or SSIM).
Thanks,
Paul
************************************
This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information.
There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission.
************************************
More information about the syslog-ng
mailing list