[syslog-ng] SYSLOG to SNMP TRAP relay server, how can I spoof source address

Gabor Nagy (gnagy) Gabor.Nagy at oneidentity.com
Tue Jul 23 12:23:06 UTC 2019 

Hello Armando!

Keep-hostname should work, the only thing that comes to my mind is that hostname is not found in the log message.
Maybe it is not entirely rfc5424 or rfc3164 compliant.
Both syslog-parser() and syslog() source fallbacks to parse the message as rfc3164 if rfc5424 fails.

As most of the fields are optional in rfc3164, some fields will not have a value. In the case of HOST, the default value is syslog-ng's ip address it listens.

You can check the parsing process with the -t (trace) option of syslog-ng.

here is an example with keep-hostnames(yes) option if I sent the "some message" line into syslog-ng:
[2019-07-23T14:19:38.891117] Initial message parsing follows;
[2019-07-23T14:19:38.891188] Setting value; name='PROGRAM', value='some', msg='0x7ff940002c60'
[2019-07-23T14:19:38.891226] Setting value; name='LEGACY_MSGHDR', value='some ', msg='0x7ff940002c60'
[2019-07-23T14:19:38.891249] Setting value; name='MESSAGE', value='message', msg='0x7ff940002c60'
[2019-07-23T14:19:38.891327] Setting value; name='HOST_FROM', value='127.0.0.1', msg='0x7ff940002c60'
[2019-07-23T14:19:38.891348] Setting value; name='HOST', value='127.0.0.1', msg='0x7ff940002c60'

You can see that HOST is set to the localhost ip address as the message did not contain a host field.

Regards,
Gabor
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Armando Martires <amartires at smartechnologies.pt>
Sent: Tuesday, July 23, 2019 11:53
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] SYSLOG to SNMP TRAP relay server, how can I spoof source address

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Hello,

I set up a Syslog-ng relay server to relay syslog messages as SNMP traps.
The relay is working sending a SNMP TRAP whenever a SYSLOG message is
received,
but the source seems to be the syslog-ng server and not the client host
that originated the syslog message.

This is my config:

options {
     time_reopen (10);
     log_fifo_size (1000);
     chain_hostnames (off);
     use_dns (no);
     use_fqdn (no);
     create_dirs (no);
     keep_hostname (yes);
     chain_hostnames (no);
};

source s_labs_itsm {
     syslog(ip("192.168.50.20") transport("udp"));
};

destination d_local {
file("/var/log/messages_${HOST}");
};

destination d_ss {
     snmp(
host("192.168.50.10")
version("v2c")
community("public")
         trap-obj('.1.3.6.1.6.3.1.1.4.1.0', 'Objectid',
'.1.3.6.1.4.1.18372.3.1.1.1.2.1')
         snmp-obj('.1.3.6.1.4.1.18372.3.1.1.1.1.1.0', 'Octetstring',
'${MESSAGE}')
         snmp-obj('.1.3.6.1.4.1.18372.3.1.1.1.1.2.0', 'Octetstring',
'admin')
         snmp-obj('.1.3.6.1.4.1.18372.3.1.1.1.1.3.0', 'Ipaddress',
'${HOST}')
     );
};

log {
     source(s_labs_itsm); destination(d_local); destination(d_ss);
};


Can anyone help me out understanding what I'm doing wrong?
Thanks!
--
Armando Mártires

______________________________________________________________________________
Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cea508b380949407b96ed08d70f53d905%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C636994725150165501&sdata=NyoZ8t6Z0IMcmlOjmhZsCkq0lwcdTciCoRz3ZsLT9J0%3D&reserved=0
Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cea508b380949407b96ed08d70f53d905%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C636994725150165501&sdata=SNOV0oH4JQCDsyyTh0QbszIpvqzRC2B3KhFfYUnkjjc%3D&reserved=0
FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cea508b380949407b96ed08d70f53d905%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C636994725150165501&sdata=yFFYF2ENZOULTZ%2FOECw4AKzUUnJKgZbu8ALnA3Y3Vgg%3D&reserved=0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190723/25ea8d42/attachment.html>

More information about the syslog-ng mailing list