[syslog-ng] Relay Server Config Help

Scheidler, Bal√°zs balazs.scheidler at balabit.com
Thu Apr 27 04:25:59 UTC 2017


Your dmz syslog relay is using the "new" rfc5424 format whereas your
internal one tries to parse it as rfc3164.

You should probably use the tcp() driver and not syslog().

On Apr 26, 2017 23:44, "wiskbroom at hotmail.com" <wiskbroom at hotmail.com>
wrote:

> Hello;
>
>
> I am running syslog-NG on a server inside of a DMZ, and on that server I'd
> like to just forward all messages into my internal syslog-NG server. I feel
> this is better than having to create a new firewall rule for each new DMZ
> node.
>
>
> I have a simple syslog-NG config that looks like this:
>
>
> ---------START syslog-ng.conf-----------
>
>
> @version:3.5
>
> @include "scl.conf"
>
> @include "/etc/syslog-ng/conf.d/*.conf"
>
>
>
>  options {
>
>     time-reap(30);
>
>     mark-freq(10);
>
>     keep-hostname(yes);
>
>     chain_hostnames (off);
>
>     flush_lines (0);
>
>     time_reopen (10);
>
>     log_fifo_size (1000);
>
>     use_dns (yes);
>
>     use_fqdn (no);
>
>     create_dirs (no);
>
> };
>
> source s_relay {
>
>          udp(ip(0.0.0.0) port(514) so_rcvbuf(425984));
>
>          tcp(ip(0.0.0.0) port(514) max-connections(250) so_rcvbuf(425984)
> log_iw_size(25000) so_keepalive(yes) log_fetch_limit(100));
>
>          syslog(ip(0.0.0.0) transport("tcp") port(1514)
> max-connections(500) log_iw_size(25000) flags("threaded")
> log_fetch_limit(100));
>
> };
>
>
>
> destination d_syslog_tcp { syslog("10.5.5.10" transport("tcp") port(514));
> };
>
>
> log { source(s_relay); destination(d_syslog_tcp); };
>
>
>
> ----------END syslog-NG.conf-------------
>
>
> The problem that I am experiencing is that my messages, once received by
> my internal syslog-NG server, look like the following:
>
>
> Apr 26 17:31:06 relay-sng-server 126 <30>1 2017-04-26T17:32:01-04:00
> relay-client-host-X appserv - - - 606881792 140565409392384  INFO: @2
> SessionExchange::ProcessTCPRead
>
> Apr 26 17:31:06 relay-sng-server 124 <30>1 2017-04-26T17:32:01-04:00
> relay-client-host-X appserv - - - 606881792 140565409392384 DEBUG:
> OpenSSLHandler::PerformHandshake
>
>
> I am hoping not to muck around too much with my config for my internal
> syslog-NG servers, and want for the messages above to appear as coming from
> relay-client-host-X and NOT relay-sng-server.
>
> It could potentially be nice to know that the message was first received
> by relay-sng-server, but...
>
> I was considering opening another TCP port on my internal syslog servers,
> and using that to send from DMZ, then a rewrite, but that all seems far
> more complicated than necessary.  Am I missing something on my syslog-NG
> conf?
>
> Any suggestions greatly appreciated!
>
> Thanks all in advance,
>
> -Vadim
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170427/cd95afd3/attachment-0001.html>


More information about the syslog-ng mailing list