[syslog-ng] Rsyslog relay or syslog-ng ?

[Scot]

Hi,

 Hoping someone has seen an easy fix for this. Sorry is it's specifically
referenced somewhere I'm not seeing.

Dealing with a vendor who is not able to leverage the RFC headers or TCP
input.
We have rsyslog relays in remote sites sending TCP/514 to syslog-ng and
others locally sending directly to syslog-ng TCP/UDP 514.

The devices sending directly to syslog-ng are reporting to the IDS
correctly. Hosts relaying through rsyslog are showing a source address of
the relay.


*/etc/rsyslog.d/forward.conf*
*$ActionQueueFileName fwdRule1 # unique name prefix for spool files*
*$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)*
*$ActionQueueSaveOnShutdown on # save messages to disk on shutdown*
*$ActionQueueType LinkedList   # run asynchronously*
*$ActionResumeRetryCount -1    # infinite retries if host is down*
*# remote host is: name/ip:port, e.g. 192.168.0.1:514
<http://192.168.0.1:514>, port optional*
**.* @@syslog-ngIP:514*




*/etc/syslog-ng/conf.d*

*source s_net_tcp        {tcp(ip(0.0.0.0) port(514) max-connections(300)
keep_hostname(yes) so_rcvbuf(262142) log_iw_size(25000)); };*
*source s_net_udp        {syslog(ip(0.0.0.0) keep_hostname(yes)  port(514)
transport("udp") flags(no-hostname) so_rcvbuf(262142));};*

*destination d_ids        {network("IDSHOSTNAME" spoof_source(yes)
transport(udp) port(514) flags(syslog-protocol)); };*

*log { source(s_net_udp);*
*        channel {filter(f_ids); destination (d_ids);};*
*        channel {parser(pattern_db); destination (d_es);};*
*};*

*log { source(s_net_tcp);*
*        channel {filter(f_ids); destination (d_ids);};*
*        channel {parser(pattern_db); destination (d_es);};*
*};*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180205/55b9d894/attachment.html>