[syslog-ng] Rsyslog relay or syslog-ng ?

james.r.hendrick james.r.hendrick at gmail.com
Mon Feb 5 20:37:03 UTC 2018 

Just to verify,  try a tcpdump of the traffic going through relay to see what syslog-ng is receiving. 
Jim


Sent from my Verizon, Samsung Galaxy smartphone
-------- Original message --------From: Scot <scotrn at gmail.com> Date: 2/5/18  3:21 PM  (GMT-05:00) To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu> Subject: [syslog-ng] Rsyslog relay or syslog-ng ? 
Hi, 
  Hoping someone has seen an easy fix for this. Sorry is it's specifically referenced somewhere I'm not seeing. 
Dealing with a vendor who is not able to leverage the RFC headers or TCP input. We have rsyslog relays in remote sites sending TCP/514 to syslog-ng and others locally sending directly to syslog-ng TCP/UDP 514. 
The devices sending directly to syslog-ng are reporting to the IDS correctly. Hosts relaying through rsyslog are showing a source address of the relay.

/etc/rsyslog.d/forward.conf
$ActionQueueFileName fwdRule1 # unique name prefix for spool files$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)$ActionQueueSaveOnShutdown on # save messages to disk on shutdown$ActionQueueType LinkedList   # run asynchronously$ActionResumeRetryCount -1    # infinite retries if host is down# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional*.* @@syslog-ngIP:514


/etc/syslog-ng/conf.d
source s_net_tcp        {tcp(ip(0.0.0.0) port(514) max-connections(300) keep_hostname(yes) so_rcvbuf(262142) log_iw_size(25000)); };source s_net_udp        {syslog(ip(0.0.0.0) keep_hostname(yes)  port(514) transport("udp") flags(no-hostname) so_rcvbuf(262142));};
destination d_ids        {network("IDSHOSTNAME" spoof_source(yes) transport(udp) port(514) flags(syslog-protocol)); };
log { source(s_net_udp);        channel {filter(f_ids); destination (d_ids);};        channel {parser(pattern_db); destination (d_es);};};
log { source(s_net_tcp);        channel {filter(f_ids); destination (d_ids);};        channel {parser(pattern_db); destination (d_es);};};
 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180205/9ded3410/attachment.html>

More information about the syslog-ng mailing list