[syslog-ng] Relay Server Config Help

wiskbroom at hotmail.com wiskbroom at hotmail.com
Wed Apr 26 21:44:29 UTC 2017 

Hello;


I am running syslog-NG on a server inside of a DMZ, and on that server I'd like to just forward all messages into my internal syslog-NG server. I feel this is better than having to create a new firewall rule for each new DMZ node.


I have a simple syslog-NG config that looks like this:


---------START syslog-ng.conf-----------

@version:3.5
@include "scl.conf"
@include "/etc/syslog-ng/conf.d/*.conf"

 options {
    time-reap(30);
    mark-freq(10);
    keep-hostname(yes);
    chain_hostnames (off);
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    use_dns (yes);
    use_fqdn (no);
    create_dirs (no);
};
source s_relay {
         udp(ip(0.0.0.0) port(514) so_rcvbuf(425984));
         tcp(ip(0.0.0.0) port(514) max-connections(250) so_rcvbuf(425984) log_iw_size(25000) so_keepalive(yes) log_fetch_limit(100));
         syslog(ip(0.0.0.0) transport("tcp") port(1514) max-connections(500) log_iw_size(25000) flags("threaded") log_fetch_limit(100));
};

destination d_syslog_tcp { syslog("10.5.5.10" transport("tcp") port(514)); };

log { source(s_relay); destination(d_syslog_tcp); };


----------END syslog-NG.conf-------------


The problem that I am experiencing is that my messages, once received by my internal syslog-NG server, look like the following:

Apr 26 17:31:06 relay-sng-server 126 <30>1 2017-04-26T17:32:01-04:00 relay-client-host-X appserv - - - 606881792 140565409392384  INFO: @2 SessionExchange::ProcessTCPRead
Apr 26 17:31:06 relay-sng-server 124 <30>1 2017-04-26T17:32:01-04:00 relay-client-host-X appserv - - - 606881792 140565409392384 DEBUG: OpenSSLHandler::PerformHandshake


I am hoping not to muck around too much with my config for my internal syslog-NG servers, and want for the messages above to appear as coming from relay-client-host-X and NOT relay-sng-server.

It could potentially be nice to know that the message was first received by relay-sng-server, but...

I was considering opening another TCP port on my internal syslog servers, and using that to send from DMZ, then a rewrite, but that all seems far more complicated than necessary.  Am I missing something on my syslog-NG conf?

Any suggestions greatly appreciated!

Thanks all in advance,

-Vadim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170426/a25d1ed8/attachment.html>

More information about the syslog-ng mailing list