[syslog-ng] Having hostname and sender's IP address in header

Matthew Hall mhall at mhcomputing.net
Tue Oct 26 05:43:07 CEST 2010


On Monday, October 25, 2010 20:36:24 Martin Holste wrote:
> I'm not entirely sure I'm following this either, but I will point out
> that the IP address is inherent in the message, not the header.

Not always true. In my past company our Ethernet switches sent the switch 
primary IP address in the place where the hostname goes, unless you 
configured it differently.

> The
> only way to preserve it is to use spoof_source(yes) on one of your
> destination blocks.  That way your $SOURCEIP macro will stay intact.

Very important point indeed.

> I would use this to forward on to Tripwire, as long as there isn't a
> router using reverse source-path verify (on Cisco).

Good thing to check!

> Then you can
> proceed normally with $HOST for your local logging and Tripwire will
> get an exact replica of them, IP and all.  I use this basic spoofing
> to copy all my incoming messages to dev log servers, which get an
> intact $SOURCEIP.  Does that help?

Good advice.

Overall, very good points as always, Martin.

These comments mesh with the comments I was making about the templates 
to use on the normal disk destinations and the tripwire destinations.

If you use a different template for Tripwire, where you reference $SOURCEIP 
instead of $HOST, and you make sure spoof_source is enabled, this will 
probably help a lot, as the Tripwire will always be fed IP addresses.

-- 
Matthew Hall


More information about the syslog-ng mailing list