[syslog-ng] mystique with spoof_address

Antal Nemes (anemes) Antal.Nemes at oneidentity.com
Thu Apr 16 05:58:47 UTC 2020 

  Hello,

You can use the set rewrite rule:

  rewrite { set("$MSG, SOURCEIP=$SOURCEIP" value(MSG)); };

You can read more from the documentation
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.25/administration-guide/65#TOPIC-1349543

Br,
  Antal
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Edvinas Kairys <edvinas.email at gmail.com>
Sent: Wednesday, April 15, 2020 14:38
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] mystique with spoof_address

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Thanks, yes this was my first guess. Anyway, due to too much (potential) of unexpected behavior of using spoofed address I dropped this idea.

I'm trying to make a syslog-ng relay server (of 4-5 different Cisco devices) to forward logs to Logstash server. Somehow i need to save SOURCE IP address of every log and add it to message when forwarding to syslog server. Is it possible ? Could someone show some guidelines ? The best way to leave the message untouched, just to add some field to syslog message (for example the end). Thanks

On Thu, Apr 9, 2020 at 11:09 AM Antal Nemes (anemes) <Antal.Nemes at oneidentity.com<mailto:Antal.Nemes at oneidentity.com>> wrote:
  Hello,

There is `rp_filter` kernel feature that might affect you: https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.theurbanpenguin.com%2Frp_filter-and-lpic-3-linux-security%2F&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320577362&sdata=cWXFxsEbmogJbovAiw8Dier%2FQGMn8crAr7YlX3IOAJM%3D&reserved=0>
Or this may be other routing problem, firewall or selinux.

 It would worth checking if the packet arrives to the next hop using tcpdump.

Br,
  Antal
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Edvinas Kairys <edvinas.email at gmail.com<mailto:edvinas.email at gmail.com>>
Sent: Wednesday, April 8, 2020 19:57
To: syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu> <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: [syslog-ng] mystique with spoof_address

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

  Hello, i installed (yum install) following version on Centos 7 box.

syslog-ng 3.5.6
Installer-Version: 3.5.6
Revision:
Compile-Date: Dec 30 2015 19:57:24
Available-Modules: affile,afprog,afsocket-notls,afsocket-tls,afsocket,afstomp,afuser,basicfuncs,confgen,cryptofuncs,csvparser,dbparser,linux-kmsg-format,syslogformat,system-source
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Pcre: on

My goal is to forward syslog messages 'untouched' but to change the source address to original one. For that case i'm using spoof-address.

My conf is like this:

options {
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    chain_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (no);
    mark-freq (0);
};
source s_network {
     udp(ip(0.0.0.0) port(514) flags(no-parse));

};
destination d_syslog_tcp { network("10.13.33.125" transport("udp") port(5140) spoof-source(yes)); };
log { source(s_network); destination(d_syslog_tcp); };
log { source(s_network); filter(f_default); destination(d_mesg); };
# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"

Strange thing, that when I enable spoof-source, some packets are not transmitted to the destination. Even TCPDUMP says that it's sent, but i dont see some logs on destination box.
Could it be something with spoof_source command ? Also i didn't compiled it because i saw that SPOOF functionality is on in syslog-ng -V output.

Any suggestions ?

Thanks



______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320577362&sdata=K0I0S%2B23LGIkiW5mkWGC2bgBNuAwePKLF1v0QrHS34E%3D&reserved=0>
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320587358&sdata=CHJzVIvJhwYtJ3eFmnr98wakkhXCp9EVPrw55NFxi1E%3D&reserved=0>
FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320587358&sdata=HCaUdgc%2BE0xVFOEnx1Vten5J0J2iKeJk8nYGsuCjWtc%3D&reserved=0>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200416/8e87a6c8/attachment-0001.html>

More information about the syslog-ng mailing list