[syslog-ng] syslog-ng forwarding and processing issue
Denis Dolinský
denis.dolinsky at gmail.com
Thu Sep 29 10:08:50 CEST 2016
hi Sandor,
these are my global options:
#
# Global options.
#
options { chain_hostnames(yes); keep_hostname(yes); keep_timestamp(yes);
flush_lines(0); perm(0640); stats_freq(3600); };
so spoof source is not necessary here ?
Thanks.
Denis
2016-09-29 9:49 GMT+02:00 Sandor Geller <sandor.geller at ericsson.com>:
> Hi,
>
> Source spoofing fakes the source IP address of the outgoing packets, as
> this can't work with connection-oriented protocols it is usable only
> with UDP datagrams.
>
> Actually source spoofing isn't needed in most cases and won't even work
> when spoofing protection is enabled in firewalls / routers and not all
> hosts are on the same subnet.
>
> Take a look at keep-hostname() and chain-hostnames()
>
> Regards,
>
> Sandor
>
> On 09/29/2016 09:29 AM, Denis Dolinský wrote:
> > Hi,
> >
> > yes, I need spoof_source to be enabled for source identification ...
> >
> > Denis
> >
> > 2016-09-28 16:44 GMT+02:00 Szalai, Attila
> > <Attila.Szalai at morganstanley.com <mailto:Attila.Szalai at morganstanley.com
> >>:
> >
> > Just a quick note.____
> >
> > The warning message about the binding issue caused by the
> > spoof_source option. Is that option necessary?____
> >
> > __ __
> >
> > *From:*syslog-ng-bounces at lists.balabit.hu
> > <mailto:syslog-ng-bounces at lists.balabit.hu>
> > [mailto:syslog-ng-bounces at lists.balabit.hu
> > <mailto:syslog-ng-bounces at lists.balabit.hu>] *On Behalf Of *Denis
> > Dolinský
> > *Sent:* Wednesday, September 28, 2016 3:47 PM
> >
> >
> > *To:* Syslog-ng users' and developers' mailing list
> > *Subject:* Re: [syslog-ng] syslog-ng forwarding and processing
> issue____
> >
> > __ __
> >
> > hi guys,____
> >
> > __ __
> >
> > this is stats:____
> >
> > __ __
> >
> > destination;d_net_udp514;;a;processed;13
> > source;s_net_udp514;;a;processed;3
> > dst.syslog;d_net_udp514#0;udp,192.168.3.1:514;a;dropped;0
> > dst.syslog;d_net_udp514#0;udp,192.168.3.1:514;a;processed;10
> > dst.syslog;d_net_udp514#0;udp,192.168.3.1:514;a;stored;0____
> >
> > __ __
> >
> > from debug:____
> >
> > __ __
> >
> > Incoming log entry; source='s_net_udp514#0',
> > line='<78> remote_server /usr/sbin/cron[24934]:
> > Can't bind hostname for the IP address, therefore using IP address
> > as hostname; IP address='192.168.2.1'____
> >
> > __ __
> >
> > Do you see anything what I do not do ?____
> >
> > __ __
> >
> > Thanks.____
> >
> > __ __
> >
> > Denis____
> >
> > __ __
> >
> > 2016-09-28 14:02 GMT+02:00 Szalai, Attila
> > <Attila.Szalai at morganstanley.com
> > <mailto:Attila.Szalai at morganstanley.com>>:____
> >
> > Hi,____
> >
> > ____
> >
> > In case of udp, the syslog source should handle receiving logs with
> > old and the new version too. (But that is more an exception than the
> > rule, so matching the receiver and the sender is a good idea
> > generaly.)____
> >
> > ____
> >
> > Before anything else I would check if the logs arrive to the
> > anonymizer host or not. The statistics can help on this. Also, if
> > there are parsing issue, the syslog-ng would tell this through its
> > log.____
> >
> > ____
> >
> > After that starting the syslog-ng with enabled debug logs can also
> > help on discovering what happening with the received log.____
> >
> > ____
> >
> > *From:*syslog-ng-bounces at lists.balabit.hu
> > <mailto:syslog-ng-bounces at lists.balabit.hu>
> > [mailto:syslog-ng-bounces at lists.balabit.hu
> > <mailto:syslog-ng-bounces at lists.balabit.hu>] *On Behalf Of *Fekete,
> > Róbert
> > *Sent:* Wednesday, September 28, 2016 1:47 PM
> > *To:* Syslog-ng users' and developers' mailing list
> > *Subject:* Re: [syslog-ng] syslog-ng forwarding and processing
> issue____
> >
> > ____
> >
> > Hi, ____
> >
> > ____
> >
> > The destination on your remote server and the source on the
> > pseudomizer host do not match: the first one uses the udp() driver
> > (RFC3164 protocol), while the second uses the syslog() driver
> > (RFC5424) protocol. ____
> >
> > ____
> >
> > Change the destination driver to syslog() on the remote server. (For
> > more possibilities, see
> > https://www.balabit.com/documents/syslog-ng-pe-latest-
> guides/en/syslog-ng-pe-guide-admin/html/concepts-things-to-consider.html
> > <https://www.balabit.com/documents/syslog-ng-pe-latest-
> guides/en/syslog-ng-pe-guide-admin/html/concepts-things-to-consider.html>
> )____
> >
> > ____
> >
> > HTH____
> >
> > ____
> >
> > Robert____
> >
> > ____
> >
> > On Wed, Sep 28, 2016 at 1:17 PM, Denis Dolinský
> > <denis.dolinsky at gmail.com <mailto:denis.dolinsky at gmail.com>>
> wrote:____
> >
> > Hi guys,____
> >
> > I have following setup in place:____
> >
> > remote server - 192.168.1.10____
> >
> > pseudomizer - syslog-ng PE in client mode - 192.168.2.10____
> >
> > SIEM - 192.168.3.10____
> >
> > So I am sending syslog logs from remote server to pseudomizer:____
> >
> > source src { internal()};____
> >
> > destination dst { udp ("192.168.2.10) port (514);};____
> >
> > log { source(src); destination (dst);____
> >
> > this is very old config from syslog v4____
> >
> > Then on pseudomizer - syslog-ng LTS 6.0.1 PE, I am collecting the
> > logs, processing them - removing private data, putting pseudonyms
> > instead and forwarding them to SIEM.
> >
> > source s_net_udp514 {
> > syslog(
> > ip(192.168.2.10)
> > ip-protocol(4)
> > transport("udp")
> > so_rcvbuf(2097152)
> > );
> > };
> >
> > source src {
> > internal();
> > unix-dgram("/dev/log");
> > system ();
> > };
> >
> > destination d_net_udp514 {
> > syslog (
> > "192.168.3.10"
> > port(514)
> > transport(udp)
> > spoof_source(yes)
> > mark_mode(periodical));};
> > rewrite r_rewrite {
> > subst("admin", "pseudonym000001", value("MESSAGE"), flags("global"));
> >
> > log {
> > source(s_net_udp514); source (src);
> > rewrite(r_rewrite); # do the pseudomizing
> > destination(d_net_udp514);
> > };____
> >
> > On SIEM device, I can see only pseudomizer internal logs (src), not
> > processed logs from remote server.____
> >
> > Any advice ?____
> >
> > Many thanks.____
> >
> > Denis____
> >
> >
> > ____________________________________________________________
> __________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > <http://www.balabit.com/support/documentation/?product=syslog-ng>
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> > <http://www.balabit.com/wiki/syslog-ng-faq>____
> >
> > ____
> >
> > __ __
> >
> > ------------------------------------------------------------
> ------------
> >
> >
> > NOTICE: Morgan Stanley is not acting as a municipal advisor and the
> > opinions or views contained herein are not intended to be, and do
> > not constitute, advice within the meaning of Section 975 of the
> > Dodd-Frank Wall Street Reform and Consumer Protection Act. If you
> > have received this communication in error, please destroy all
> > electronic and paper copies and notify the sender immediately.
> > Mistransmission is not intended to waive confidentiality or
> > privilege. Morgan Stanley reserves the right, to the extent
> > permitted under applicable law, to monitor electronic
> > communications. This message is subject to terms available at the
> > following link: http://www.morganstanley.com/disclaimers
> > <http://www.morganstanley.com/disclaimers> If you cannot access
> > these links, please notify us by reply message and we will send the
> > contents to you. By communicating with Morgan Stanley you consent to
> > the foregoing and to the voice recording of conversations with
> > personnel of Morgan Stanley.____
> >
> >
> > ____________________________________________________________
> __________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > <http://www.balabit.com/support/documentation/?product=syslog-ng>
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> > <http://www.balabit.com/wiki/syslog-ng-faq>
> >
> > ____
> >
> >
> >
> >
> > -- ____
> >
> > Ing. Denis Dolinský
> > denis.dolinsky at gmail.com <mailto:denis.dolinsky at gmail.com>
> > private cell: _+421 907 530711 <tel:%2B421%20907%20530711>_____
> >
> >
> >
> > ------------------------------------------------------------
> ------------
> >
> > NOTICE: Morgan Stanley is not acting as a municipal advisor and the
> > opinions or views contained herein are not intended to be, and do
> > not constitute, advice within the meaning of Section 975 of the
> > Dodd-Frank Wall Street Reform and Consumer Protection Act. If you
> > have received this communication in error, please destroy all
> > electronic and paper copies and notify the sender immediately.
> > Mistransmission is not intended to waive confidentiality or
> > privilege. Morgan Stanley reserves the right, to the extent
> > permitted under applicable law, to monitor electronic
> > communications. This message is subject to terms available at the
> > following link: http://www.morganstanley.com/disclaimers
> > <http://www.morganstanley.com/disclaimers> If you cannot access
> > these links, please notify us by reply message and we will send the
> > contents to you. By communicating with Morgan Stanley you consent to
> > the foregoing and to the voice recording of conversations with
> > personnel of Morgan Stanley.
> >
> >
> > ____________________________________________________________
> __________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > <http://www.balabit.com/support/documentation/?product=syslog-ng>
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> > <http://www.balabit.com/wiki/syslog-ng-faq>
> >
> >
> >
> >
> >
> > --
> > Ing. Denis Dolinský
> > denis.dolinsky at gmail.com <mailto:denis.dolinsky at gmail.com>
> > private cell: _+421 907 530711_
> >
> >
> > ____________________________________________________________
> __________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
--
Ing. Denis Dolinský
denis.dolinsky at gmail.com
private cell: *+421 907 530711*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160929/48f08e4e/attachment-0001.htm
More information about the syslog-ng
mailing list