[syslog-ng] mystique with spoof_address

Edvinas Kairys edvinas.email at gmail.com
Wed Apr 15 12:38:34 UTC 2020 

Thanks, yes this was my first guess. Anyway, due to too much (potential) of
unexpected behavior of using spoofed address I dropped this idea.

I'm trying to make a syslog-ng relay server (of 4-5 different Cisco
devices) to forward logs to Logstash server. Somehow i need to save SOURCE
IP address of every log and add it to message when forwarding to syslog
server. Is it possible ? Could someone show some guidelines ? The best way
to leave the message untouched, just to add some field to syslog message
(for example the end). Thanks

On Thu, Apr 9, 2020 at 11:09 AM Antal Nemes (anemes) <
Antal.Nemes at oneidentity.com> wrote:

>   Hello,
>
> There is `rp_filter` kernel feature that might affect you:
> https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/
> Or this may be other routing problem, firewall or selinux.
>
>  It would worth checking if the packet arrives to the next hop using
> tcpdump.
>
> Br,
>   Antal
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Edvinas Kairys <edvinas.email at gmail.com>
> *Sent:* Wednesday, April 8, 2020 19:57
> *To:* syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
> *Subject:* [syslog-ng] mystique with spoof_address
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
>   Hello, i installed (yum install) following version on Centos 7 box.
>
> syslog-ng 3.5.6
> Installer-Version: 3.5.6
> Revision:
> Compile-Date: Dec 30 2015 19:57:24
> Available-Modules:
> affile,afprog,afsocket-notls,afsocket-tls,afsocket,afstomp,afuser,basicfuncs,confgen,cryptofuncs,csvparser,dbparser,linux-kmsg-format,syslogformat,system-source
> Enable-Debug: off
> Enable-GProf: off
> Enable-Memtrace: off
> Enable-IPv6: on
> Enable-Spoof-Source: on
> Enable-TCP-Wrapper: on
> Enable-Linux-Caps: on
> Enable-Pcre: on
>
> My goal is to forward syslog messages 'untouched' but to change the source
> address to original one. For that case i'm using spoof-address.
>
> My conf is like this:
>
> options {
>     flush_lines (0);
>     time_reopen (10);
>     log_fifo_size (1000);
>     chain_hostnames (off);
>     use_dns (no);
>     use_fqdn (no);
>     create_dirs (no);
>     keep_hostname (no);
>     mark-freq (0);
> };
> source s_network {
>      udp(ip(0.0.0.0) port(514) flags(no-parse));
>
> };
> destination d_syslog_tcp { network("10.13.33.125" transport("udp")
> port(5140) spoof-source(yes)); };
> log { source(s_network); destination(d_syslog_tcp); };
> log { source(s_network); filter(f_default); destination(d_mesg); };
> # Source additional configuration files (.conf extension only)
> @include "/etc/syslog-ng/conf.d/*.conf"
>
> Strange thing, that when I enable spoof-source, some packets are not
> transmitted to the destination. Even TCPDUMP says that it's sent, but i
> dont see some logs on destination box.
> Could it be something with spoof_source command ? Also i didn't compiled
> it because i saw that SPOOF functionality is on in syslog-ng -V output.
>
> Any suggestions ?
>
> Thanks
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200415/d8fd616e/attachment.html>

More information about the syslog-ng mailing list