[syslog-ng] syslog-ng forwarding and processing issue

Denis Dolinský denis.dolinsky at gmail.com
Thu Sep 29 09:29:15 CEST 2016


Hi,

yes, I need spoof_source to be enabled for source identification ...

Denis

2016-09-28 16:44 GMT+02:00 Szalai, Attila <Attila.Szalai at morganstanley.com>:

> Just a quick note.
>
> The warning message about the binding issue caused by the spoof_source
> option. Is that option necessary?
>
>
>
> *From:* syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces@
> lists.balabit.hu] *On Behalf Of *Denis Dolinský
> *Sent:* Wednesday, September 28, 2016 3:47 PM
>
> *To:* Syslog-ng users' and developers' mailing list
> *Subject:* Re: [syslog-ng] syslog-ng forwarding and processing issue
>
>
>
> hi guys,
>
>
>
> this is stats:
>
>
>
> destination;d_net_udp514;;a;processed;13
> source;s_net_udp514;;a;processed;3
> dst.syslog;d_net_udp514#0;udp,192.168.3.1:514;a;dropped;0
> dst.syslog;d_net_udp514#0;udp,192.168.3.1:514;a;processed;10
> dst.syslog;d_net_udp514#0;udp,192.168.3.1:514;a;stored;0
>
>
>
> from debug:
>
>
>
> Incoming log entry; source='s_net_udp514#0', line='<78> remote_server
> /usr/sbin/cron[24934]:
> Can't bind hostname for the IP address, therefore using IP address as
> hostname; IP address='192.168.2.1'
>
>
>
> Do you see anything what I do not do ?
>
>
>
> Thanks.
>
>
>
> Denis
>
>
>
> 2016-09-28 14:02 GMT+02:00 Szalai, Attila <Attila.Szalai at morganstanley.com
> >:
>
> Hi,
>
>
>
> In case of udp, the syslog source should handle receiving logs with old
> and the new version too. (But that is more an exception than the rule, so
> matching the receiver and the sender is a good idea generaly.)
>
>
>
> Before anything else I would check if the logs arrive to the anonymizer
> host or not. The statistics can help on this. Also, if there are parsing
> issue, the syslog-ng would tell this through its log.
>
>
>
> After that starting the syslog-ng with enabled debug logs can also help on
> discovering what happening with the received log.
>
>
>
> *From:* syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces@
> lists.balabit.hu] *On Behalf Of *Fekete, Róbert
> *Sent:* Wednesday, September 28, 2016 1:47 PM
> *To:* Syslog-ng users' and developers' mailing list
> *Subject:* Re: [syslog-ng] syslog-ng forwarding and processing issue
>
>
>
> Hi,
>
>
>
> The destination on your remote server and the source on the pseudomizer
> host do not match: the first one uses the udp() driver (RFC3164 protocol),
> while the second uses the syslog() driver (RFC5424) protocol.
>
>
>
> Change the destination driver to syslog() on the remote server. (For more
> possibilities, see https://www.balabit.com/documents/syslog-ng-pe-latest-
> guides/en/syslog-ng-pe-guide-admin/html/concepts-things-to-consider.html )
>
>
>
> HTH
>
>
>
> Robert
>
>
>
> On Wed, Sep 28, 2016 at 1:17 PM, Denis Dolinský <denis.dolinsky at gmail.com>
> wrote:
>
> Hi guys,
>
> I have following setup in place:
>
> remote server - 192.168.1.10
>
> pseudomizer - syslog-ng PE in client mode - 192.168.2.10
>
> SIEM - 192.168.3.10
>
> So I am sending syslog logs from remote server to pseudomizer:
>
> source src { internal()};
>
> destination dst { udp ("192.168.2.10) port (514);};
>
> log { source(src); destination (dst);
>
> this is very old config from syslog v4
>
> Then on pseudomizer - syslog-ng LTS 6.0.1 PE, I am collecting the logs,
> processing them - removing private data, putting pseudonyms instead and
> forwarding them to SIEM.
>
> source s_net_udp514 {
>     syslog(
>         ip(192.168.2.10)
>         ip-protocol(4)
>         transport("udp")
>         so_rcvbuf(2097152)
>         );
> };
>
> source src {
>         internal();
>         unix-dgram("/dev/log");
>         system ();
> };
>
> destination d_net_udp514 {
>          syslog (
>          "192.168.3.10"
>          port(514)
>          transport(udp)
>          spoof_source(yes)
>          mark_mode(periodical));};
> rewrite r_rewrite {
> subst("admin", "pseudonym000001", value("MESSAGE"), flags("global"));
>
> log {
>         source(s_net_udp514); source (src);
>         rewrite(r_rewrite); # do the pseudomizing
>         destination(d_net_udp514);
> };
>
> On SIEM device, I can see only pseudomizer internal logs (src), not
> processed logs from remote server.
>
> Any advice ?
>
> Many thanks.
>
> Denis
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
> ------------------------------
>
>
> NOTICE: Morgan Stanley is not acting as a municipal advisor and the
> opinions or views contained herein are not intended to be, and do not
> constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall
> Street Reform and Consumer Protection Act. If you have received this
> communication in error, please destroy all electronic and paper copies and
> notify the sender immediately. Mistransmission is not intended to waive
> confidentiality or privilege. Morgan Stanley reserves the right, to the
> extent permitted under applicable law, to monitor electronic
> communications. This message is subject to terms available at the following
> link: http://www.morganstanley.com/disclaimers  If you cannot access
> these links, please notify us by reply message and we will send the
> contents to you. By communicating with Morgan Stanley you consent to the
> foregoing and to the voice recording of conversations with personnel of
> Morgan Stanley.
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
> --
>
> Ing. Denis Dolinský
> denis.dolinsky at gmail.com
> private cell: *+421 907 530711 <%2B421%20907%20530711>*
>
>
> ------------------------------
>
> NOTICE: Morgan Stanley is not acting as a municipal advisor and the
> opinions or views contained herein are not intended to be, and do not
> constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall
> Street Reform and Consumer Protection Act. If you have received this
> communication in error, please destroy all electronic and paper copies and
> notify the sender immediately. Mistransmission is not intended to waive
> confidentiality or privilege. Morgan Stanley reserves the right, to the
> extent permitted under applicable law, to monitor electronic
> communications. This message is subject to terms available at the following
> link: http://www.morganstanley.com/disclaimers  If you cannot access
> these links, please notify us by reply message and we will send the
> contents to you. By communicating with Morgan Stanley you consent to the
> foregoing and to the voice recording of conversations with personnel of
> Morgan Stanley.
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>


-- 
Ing. Denis Dolinský
denis.dolinsky at gmail.com
private cell: *+421 907 530711*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160929/bf1b4528/attachment-0001.htm 


More information about the syslog-ng mailing list