[syslog-ng] SYSLOG to SNMP TRAP relay server, how can I spoof source address

Armando Martires amartires at smartechnologies.pt
Tue Jul 23 09:53:40 UTC 2019


Hello,

I set up a Syslog-ng relay server to relay syslog messages as SNMP traps.
The relay is working sending a SNMP TRAP whenever a SYSLOG message is 
received,
but the source seems to be the syslog-ng server and not the client host 
that originated the syslog message.

This is my config:

options {
     time_reopen (10);
     log_fifo_size (1000);
     chain_hostnames (off);
     use_dns (no);
     use_fqdn (no);
     create_dirs (no);
     keep_hostname (yes);
     chain_hostnames (no);
};

source s_labs_itsm {
     syslog(ip("192.168.50.20") transport("udp"));
};

destination d_local {
file("/var/log/messages_${HOST}");
};

destination d_ss {
     snmp(
host("192.168.50.10")
version("v2c")
community("public")
         trap-obj('.1.3.6.1.6.3.1.1.4.1.0', 'Objectid', 
'.1.3.6.1.4.1.18372.3.1.1.1.2.1')
         snmp-obj('.1.3.6.1.4.1.18372.3.1.1.1.1.1.0', 'Octetstring', 
'${MESSAGE}')
         snmp-obj('.1.3.6.1.4.1.18372.3.1.1.1.1.2.0', 'Octetstring', 
'admin')
         snmp-obj('.1.3.6.1.4.1.18372.3.1.1.1.1.3.0', 'Ipaddress', 
'${HOST}')
     );
};

log {
     source(s_labs_itsm); destination(d_local); destination(d_ss);
};


Can anyone help me out understanding what I'm doing wrong?
Thanks!
--
Armando Mártires



More information about the syslog-ng mailing list