[syslog-ng] DMZ Relay Config (multiple ports)

Wed May 17 20:43:50 UTC 2017

Hello!

I am trying to build a syslog-ng.conf for a DMZ relay that will listen on several TCP and UDP ports, all working just great.

My config essentially captures traffic, then redirects each connection internally from itself.

What happens if my internal host goes down?  I am hoping to store locally if connectivity is down, but not sure where or how that would get defined.

I need to keep a direct relationship between ports, as my internal syslog-ng treats these ports differently, so redirecting to the same as received is key.

Below is my DMZ relay syslog-NG config file, any offers to make it better greatly appreciated.

-Vadim

-------------------------syslog-ng.conf------------------------------
@version:3.5
@include "scl.conf"
@include "/etc/syslog-ng/conf.d/*.conf"
options {
    time-reap(30);
    mark-freq(10);
    keep-hostname(yes);
    chain_hostnames (off);
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    use_dns (yes);
    use_fqdn (no);
    create_dirs (no);
};
source s_udp-relay {
         udp(ip(0.0.0.0) port(514) so_rcvbuf(425984));
};

source s_tcp-relay-514 {
        tcp(ip(0.0.0.0) port(514) max-connections(250) so_rcvbuf(425984) log_iw_size(25000) so_keepalive(yes) log_fetch_limit(100));
};

source s_tcp-relay-7514 {
        tcp(ip(0.0.0.0) port(7514) max-connections(250) so_rcvbuf(425984) log_iw_size(25000) so_keepalive(yes) log_fetch_limit(100));
};
destination d_syslog_udp { udp("10.5.5.5" port(514)); };
destination d_syslog_tcp-514 { tcp("10.5.5.5" port(514)); };
destination d_syslog_tcp-7514 { tcp("10.5.5.5" port(7514)); };

log { source(s_udp-relay); destination(d_syslog_udp); };
log { source(s_tcp-relay-514); destination(d_syslog_tcp-514); };
log { source(s_tcp-relay-7514); destination(d_syslog_tcp-7514); };

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170517/24e83b24/attachment.html>