[syslog-ng] mystique with spoof_address

Antal Nemes (anemes) Antal.Nemes at oneidentity.com
Thu Apr 9 08:09:49 UTC 2020


There is `rp_filter` kernel feature that might affect you: https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/
Or this may be other routing problem, firewall or selinux.

 It would worth checking if the packet arrives to the next hop using tcpdump.

From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Edvinas Kairys <edvinas.email at gmail.com>
Sent: Wednesday, April 8, 2020 19:57
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] mystique with spoof_address

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

  Hello, i installed (yum install) following version on Centos 7 box.

syslog-ng 3.5.6
Installer-Version: 3.5.6
Compile-Date: Dec 30 2015 19:57:24
Available-Modules: affile,afprog,afsocket-notls,afsocket-tls,afsocket,afstomp,afuser,basicfuncs,confgen,cryptofuncs,csvparser,dbparser,linux-kmsg-format,syslogformat,system-source
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Pcre: on

My goal is to forward syslog messages 'untouched' but to change the source address to original one. For that case i'm using spoof-address.

My conf is like this:

options {
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    chain_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (no);
    mark-freq (0);
source s_network {
     udp(ip( port(514) flags(no-parse));

destination d_syslog_tcp { network("" transport("udp") port(5140) spoof-source(yes)); };
log { source(s_network); destination(d_syslog_tcp); };
log { source(s_network); filter(f_default); destination(d_mesg); };
# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"

Strange thing, that when I enable spoof-source, some packets are not transmitted to the destination. Even TCPDUMP says that it's sent, but i dont see some logs on destination box.
Could it be something with spoof_source command ? Also i didn't compiled it because i saw that SPOOF functionality is on in syslog-ng -V output.

Any suggestions ?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200409/2470b84a/attachment.html>

More information about the syslog-ng mailing list