[syslog-ng] syslog-ng forwarding and processing issue

Fekete, Róbert robert.fekete at balabit.com
Wed Sep 28 13:47:09 CEST 2016 

Hi,

The destination on your remote server and the source on the pseudomizer
host do not match: the first one uses the udp() driver (RFC3164 protocol),
while the second uses the syslog() driver (RFC5424) protocol.

Change the destination driver to syslog() on the remote server. (For more
possibilities, see
https://www.balabit.com/documents/syslog-ng-pe-latest-guides/en/syslog-ng-pe-guide-admin/html/concepts-things-to-consider.html
 )

HTH

Robert

On Wed, Sep 28, 2016 at 1:17 PM, Denis Dolinský <denis.dolinsky at gmail.com>
wrote:

> Hi guys,
>
> I have following setup in place:
> remote server - 192.168.1.10
> pseudomizer - syslog-ng PE in client mode - 192.168.2.10
> SIEM - 192.168.3.10
>
> So I am sending syslog logs from remote server to pseudomizer:
> source src { internal()};
> destination dst { udp ("192.168.2.10) port (514);};
> log { source(src); destination (dst);
>
> this is very old config from syslog v4
>
> Then on pseudomizer - syslog-ng LTS 6.0.1 PE, I am collecting the logs,
> processing them - removing private data, putting pseudonyms instead and
> forwarding them to SIEM.
>
> source s_net_udp514 {
>     syslog(
>         ip(192.168.2.10)
>         ip-protocol(4)
>         transport("udp")
>         so_rcvbuf(2097152)
>         );
> };
>
> source src {
>         internal();
>         unix-dgram("/dev/log");
>         system ();
> };
>
> destination d_net_udp514 {
>          syslog (
>          "192.168.3.10"
>          port(514)
>          transport(udp)
>          spoof_source(yes)
>          mark_mode(periodical));};
> rewrite r_rewrite {
> subst("admin", "pseudonym000001", value("MESSAGE"), flags("global"));
>
> log {
>         source(s_net_udp514); source (src);
>         rewrite(r_rewrite); # do the pseudomizing
>         destination(d_net_udp514);
> };
>
> On SIEM device, I can see only pseudomizer internal logs (src), not
> processed logs from remote server.
>
> Any advice ?
>
> Many thanks.
>
> Denis
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160928/2788f6a8/attachment.htm

More information about the syslog-ng mailing list