[syslog-ng] syslog-ng forwarding and processing issue

Denis Dolinský denis.dolinsky at gmail.com
Wed Sep 28 13:17:08 CEST 2016


Hi guys,

I have following setup in place:
remote server - 192.168.1.10
pseudomizer - syslog-ng PE in client mode - 192.168.2.10
SIEM - 192.168.3.10

So I am sending syslog logs from remote server to pseudomizer:
source src { internal()};
destination dst { udp ("192.168.2.10) port (514);};
log { source(src); destination (dst);

this is very old config from syslog v4

Then on pseudomizer - syslog-ng LTS 6.0.1 PE, I am collecting the logs,
processing them - removing private data, putting pseudonyms instead and
forwarding them to SIEM.

source s_net_udp514 {
    syslog(
        ip(192.168.2.10)
        ip-protocol(4)
        transport("udp")
        so_rcvbuf(2097152)
        );
};

source src {
        internal();
        unix-dgram("/dev/log");
        system ();
};

destination d_net_udp514 {
         syslog (
         "192.168.3.10"
         port(514)
         transport(udp)
         spoof_source(yes)
         mark_mode(periodical));};
rewrite r_rewrite {
subst("admin", "pseudonym000001", value("MESSAGE"), flags("global"));

log {
        source(s_net_udp514); source (src);
        rewrite(r_rewrite); # do the pseudomizing
        destination(d_net_udp514);
};

On SIEM device, I can see only pseudomizer internal logs (src), not
processed logs from remote server.

Any advice ?

Many thanks.

Denis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160928/8453d8a1/attachment.htm 


More information about the syslog-ng mailing list