[syslog-ng] Central netlog server for hosts behind NAT

Scheidler, Balázs balazs.scheidler at balabit.com
Sat Jul 30 20:02:00 CEST 2016 

I am not sure I understand your usecase, and question. $HOST is populated
based on the host field within the message and senders are free to set that
to whatever they please.

If that field is missing (which it might), syslog-ng fills that based on
the sender IP address.

There are alternative macros (such as $SOURCEIP), which is the actual IP of
the datagram received by syslog-ng. But you can also play with $HOST
related syslog-ng options such as keep-hostname().

Could you try to rephrase your question?
Thanks
Bazsi


-- 
Bazsi

On Wed, Jul 27, 2016 at 6:20 PM, Hollósi Botond <bhollosi at opennet.hu> wrote:

> Hi,
>
>
> We would like to monitor all hosts that are behind different NATs.
>
> The main goal every host's log (comes over the NAT) go to separate log
> file. So every log file will contain only one host's log messages.
>
>
> The *idea* is to *separate* the log messages  *based on *IP *packet*
> parameters, '*date*' and  *'source Public IP address *(NAT address)' and '*destination
> UDP port*'.
>
> *Problem*, it seems the hosts log messages *mixed* with each other in the
> final log files.
>
> For example in this :
> /var/log/remote_log/07/27/*37.220.128.16*/100/local0.log
> and this
> /var/log/remote_log/07/27/*89.135.48.161*/100/local0.log
> also contains messages comes from the host 100 behind the IP *94.21.180.56
> *(it is sure because some rows from log contains host identifier, but not
> all rows contains it sadly)
>
> but only this should contain the message, because a the host behind this
> public IP *94.21.180.56*
> /var/log/remote_log/07/27/*94.21.180.56*/100/local0.log
>
> Does capable config below to handle this purpose, or i miss-configure
> something?
>
>
>
> OS:
> Debian 8 latest
> 3.2.0-4-amd64 #1 SMP Debian 3.2.81-1 x86_64 GNU/Linux
>
> Version:
> Syslog-ng install with apt-get install from
> http://httpredir.debian.org/debian this repo. And version
> syslog-ng-core                 3.5.6-2+b1
>
> The installed config untached, but i make an additional config file in the*
> /etc/syslog-ng/conf.d/remote.con*f with this *content*.
>
> source s_net_0 { network( ip(0.0.0.0) port(600) transport(udp)); };
> source s_net_1 { network( ip(0.0.0.0) port(601) transport(udp)); };
> source s_net_2 { network( ip(0.0.0.0) port(602) transport(udp)); };
> source s_net_3 { network( ip(0.0.0.0) port(603) transport(udp)); };
> source s_net_4 { network( ip(0.0.0.0) port(604) transport(udp)); };
> source s_net_5 { network( ip(0.0.0.0) port(605) transport(udp)); };
> source s_net_6 { network( ip(0.0.0.0) port(606) transport(udp)); };
> source s_net_7 { network( ip(0.0.0.0) port(607) transport(udp)); };
> source s_net_8 { network( ip(0.0.0.0) port(608) transport(udp)); };
> source s_net_9 { network( ip(0.0.0.0) port(609) transport(udp)); };
> source s_net_10 { network( ip(0.0.0.0) port(610) transport(udp)); };
> source s_net_11 { network( ip(0.0.0.0) port(611) transport(udp)); };
> source s_net_12 { network( ip(0.0.0.0) port(612) transport(udp)); };
> source s_net_13 { network( ip(0.0.0.0) port(613) transport(udp)); };
> source s_net_14 { network( ip(0.0.0.0) port(614) transport(udp)); };
> source s_net_15 { network( ip(0.0.0.0) port(615) transport(udp)); };
> source s_net_16 { network( ip(0.0.0.0) port(616) transport(udp)); };
> source s_net_17 { network( ip(0.0.0.0) port(617) transport(udp)); };
> source s_net_18 { network( ip(0.0.0.0) port(618) transport(udp)); };
> source s_net_19 { network( ip(0.0.0.0) port(619) transport(udp)); };
> source s_net_20 { network( ip(0.0.0.0) port(620) transport(udp)); };
> source s_net_21 { network( ip(0.0.0.0) port(621) transport(udp)); };
> source s_net_22 { network( ip(0.0.0.0) port(622) transport(udp)); };
> source s_net_23 { network( ip(0.0.0.0) port(623) transport(udp)); };
>
> destination d_file_0 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/100/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_1 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/101/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_2 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/102/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_3 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/103/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_4 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/104/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_5 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/105/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_6 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/106/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_7 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/107/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_8 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/108/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_9 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/109/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_10 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/110/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_11 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/111/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_12 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/112/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_13 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/113/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_14 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/114/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_15 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/115/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_16 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/116/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_17 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/117/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_18 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/118/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_19 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/119/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_20 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/120/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_21 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/121/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_22 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/122/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
> destination d_file_23 {
> file("/var/log/remote_log/$R_MONTH/$R_DAY/$HOST/123/$FACILITY.log"
> owner(root) group(root) create-dirs(yes) perm(0700) dir-perm(0700)); };
>
> log { source(s_net_0); destination(d_file_0); };
> log { source(s_net_1); destination(d_file_1); };
> log { source(s_net_2); destination(d_file_2); };
> log { source(s_net_3); destination(d_file_3); };
> log { source(s_net_4); destination(d_file_4); };
> log { source(s_net_5); destination(d_file_5); };
> log { source(s_net_6); destination(d_file_6); };
> log { source(s_net_7); destination(d_file_7); };
> log { source(s_net_8); destination(d_file_8); };
> log { source(s_net_9); destination(d_file_9); };
> log { source(s_net_10); destination(d_file_10); };
> log { source(s_net_11); destination(d_file_11); };
> log { source(s_net_12); destination(d_file_12); };
> log { source(s_net_13); destination(d_file_13); };
> log { source(s_net_14); destination(d_file_14); };
> log { source(s_net_15); destination(d_file_15); };
> log { source(s_net_16); destination(d_file_16); };
> log { source(s_net_17); destination(d_file_17); };
> log { source(s_net_18); destination(d_file_18); };
> log { source(s_net_19); destination(d_file_19); };
> log { source(s_net_20); destination(d_file_20); };
> log { source(s_net_21); destination(d_file_21); };
> log { source(s_net_22); destination(d_file_22); };
> log { source(s_net_23); destination(d_file_23); };
>
>
>
> --
> Üdvözlettel:
> Hollósi Botond
> Opennetworks Kft.
> Tel.: 06-1-9996000
> Mobil: 06-20-4362032
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160730/48df30ba/attachment.htm

More information about the syslog-ng mailing list