[syslog-ng] Having hostname and sender's IP address in header

Worsham, Michael mworsham at SCIRES.COM
Tue Oct 26 05:39:50 CEST 2010


Where would I put the spoof_source(yes) variable/setting -- on the syslog/DCS server or on each RHEL clients?

-- M

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Martin Holste
Sent: Monday, October 25, 2010 11:36 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Having hostname and sender's IP address in header

I'm not entirely sure I'm following this either, but I will point out
that the IP address is inherent in the message, not the header.  The
only way to preserve it is to use spoof_source(yes) on one of your
destination blocks.  That way your $SOURCEIP macro will stay intact.
I would use this to forward on to Tripwire, as long as there isn't a
router using reverse source-path verify (on Cisco).  Then you can
proceed normally with $HOST for your local logging and Tripwire will
get an exact replica of them, IP and all.  I use this basic spoofing
to copy all my incoming messages to dev log servers, which get an
intact $SOURCEIP.  Does that help?

On Mon, Oct 25, 2010 at 10:07 PM, Worsham, Michael <mworsham at scires.com> wrote:
> Almost. I am confused on the "set properties to preserve hostnames" and "set appropriate template" pieces. I am still rather new to this still. I am just happy I got TLS encryption working and integrated TLS with Syslog4j for Weblogic support.
>
> So I guess back to the original question, is it not possible to pass over the hostname and IP address at the same time in the header?
>
> -- M
>
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Matthew Hall
> Sent: Monday, October 25, 2010 10:05 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Having hostname and sender's IP address in header
>
> Michael,
>
> Let's say for the sake of discussion all syslogs arrive from here:
>
>> source s_general {
>>         tcp(ip(10.153.29.235) port (514) max-connections(1000) );
>> };
>
> Now you could do this:
>
>> source s_general {
>>         tcp(ip(10.153.29.235) port (514) max-connections(1000) );
>> };
>
> source s_loopback_local {
>    udp(ip(127.0.0.1) port(5140));
>    # set properties to preserve hostnames
> }
>
> source s_loopback_tripwire {
>    udp(ip(127.0.0.1) port(5141));
>    # set properties to preserve IP addresses
> }
>
> destination d_loopback_local {
>    udp(ip(127.0.0.1) port(5140));
>    # set appropriate template
> }
>
> destination d_loopback_tripwire {
>    udp(ip(127.0.0.1) port(5141));
>    # set appropriate template
> }
>
> log {
>    source(s_general);
>    destination(d_loopback_local);
>    destination(d_loopback_tripwire);
>    flags(final);
> }
>
> log {
>    source(s_loopback_local);
>    destination(***local storage log files***);
> }
>
> log {
>    source(s_loopback_tripwire);
>    destination(***remote relay to tripwire using d_tripwire_udp***);
> }
>
>> destination d_tripwire_udp {
>>         udp("10.153.29.249" port (514));
>> };
>
> Is this description more clear?
>
> Cheers,
> Matthew.
>
> On Mon, Oct 25, 2010 at 07:57:08PM -0400, Worsham, Michael wrote:
>> Umm... what? Totally lost me there.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
> CONFIDENTIALITY NOTICE:  This email and any attachments are intended solely for the use of the named recipient(s).  This email may contain confidential and/or proprietary information of Scientific Research Corporation.  If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments.  If you believe you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.
>
> EXPORT COMPLIANCE NOTICE:  This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).  Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer.  In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization.  By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html


CONFIDENTIALITY NOTICE:  This email and any attachments are intended solely for the use of the named recipient(s).  This email may contain confidential and/or proprietary information of Scientific Research Corporation.  If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments.  If you believe you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.

EXPORT COMPLIANCE NOTICE:  This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).  Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer.  In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization.  By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements.


More information about the syslog-ng mailing list