[syslog-ng] Parse client IP out of Proxy Protocol Line in TCP syslog->ELB->syslog-ng
Scheidler, Balázs
balazs.scheidler at balabit.com
Sat Oct 17 08:41:08 CEST 2015
Hi,
Sorry I was distracted, here's a block definition for this format that you
can simply use as a parser:
block parser aws-proxy-protocol-header() {
csv-parser(delimiters(" ")
columns(".aws.proxy", ".aws.inet_protocol",
".aws.client_ip", ".aws.proxy_ip", ".aws.client_port", ".aws.proxy_port"));
};
Just put it somewhere in your configuration file, or into a separate file
and include it.
This is how I tested it.
@version: 3.7
block parser aws-proxy-protocol-header() {
csv-parser(delimiters(" ")
columns(".aws.proxy", ".aws.inet_protocol",
".aws.client_ip", ".aws.proxy_ip", ".aws.client_port", ".aws.proxy_port"));
};
log {
source { file("aws-sample.log" flags(no-parse)); };
parser { aws-proxy-protocol-header(); };
destination { file("/dev/stdout" template("$(format-json .aws.*)\n"));
};
};
--
Bazsi
On Thu, Oct 15, 2015 at 7:28 PM, Nadine Miller <nadine.miller at defpoint.com>
wrote:
> I've searched through the archives and spent some time trying to find
> possible answers on the web, but haven't found a definitive answer.
>
> I'm in a situation where I need to parse syslog streams being
> forwarded through an AWS ELB. The normal configuration of the ELB
> resets the source IP to be the ELB's IP address. Logs are coming from
> multiple AWS VPCs, and we've already discovered duplicate hostnames
> across different VPCs, which has mingled logs from different hosts
> into one receiving log file.
>
> The ELB has another mode, referred to as "Proxy Protocol" which adds a
> single line to the TCP stream in the form:
>
> PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP
> + single space + PROXY_IP + single space + CLIENT_PORT + single space
> + PROXY_PORT + "\r\n"
>
> Example:
>
> PROXY TCP4 198.51.100.22 203.0.113.7 35646 80\r\n
>
> Is it possible to use this proxy line in syslog-ng to properly
> segregate the log messages? If so, what would be the best method to
> use? I've done a lot of filtering/templating with normal UDP syslog
> and syslog-ng, but this is the first time I've had to consider
> something crazy like this.
>
> Currently there is no option at this time to change configurations at
> endpoints sending the syslog messages, nor can we remove the ELB.
>
> For reference:
>
> http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html
>
> Thanks in advance--
> =N=
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20151017/c85f0400/attachment-0001.htm
More information about the syslog-ng
mailing list