[syslog-ng] mystique with spoof_address

Thu Apr 16 11:07:47 UTC 2020

Thanks, could you say.
Do i need to PARSE the whole syslog ? Or can i use this rewrite function
without parsing the message ? Just to add some fields to the end of the raw
message ?

Thanks

On Thu, Apr 16, 2020 at 8:58 AM Antal Nemes (anemes) <
Antal.Nemes at oneidentity.com> wrote:

>   Hello,
>
> You can use the set rewrite rule:
>
>   rewrite { set("$MSG, SOURCEIP=$SOURCEIP" value(MSG)); };
>
> You can read more from the documentation
>
> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.25/administration-guide/65#TOPIC-1349543
>
> Br,
>   Antal
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Edvinas Kairys <edvinas.email at gmail.com>
> *Sent:* Wednesday, April 15, 2020 14:38
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] mystique with spoof_address
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Thanks, yes this was my first guess. Anyway, due to too much (potential)
> of unexpected behavior of using spoofed address I dropped this idea.
>
> I'm trying to make a syslog-ng relay server (of 4-5 different Cisco
> devices) to forward logs to Logstash server. Somehow i need to save SOURCE
> IP address of every log and add it to message when forwarding to syslog
> server. Is it possible ? Could someone show some guidelines ? The best way
> to leave the message untouched, just to add some field to syslog message
> (for example the end). Thanks
>
> On Thu, Apr 9, 2020 at 11:09 AM Antal Nemes (anemes) <
> Antal.Nemes at oneidentity.com> wrote:
>
>   Hello,
>
> There is `rp_filter` kernel feature that might affect you:
> https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.theurbanpenguin.com%2Frp_filter-and-lpic-3-linux-security%2F&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320577362&sdata=cWXFxsEbmogJbovAiw8Dier%2FQGMn8crAr7YlX3IOAJM%3D&reserved=0>
> Or this may be other routing problem, firewall or selinux.
>
>  It would worth checking if the packet arrives to the next hop using
> tcpdump.
>
> Br,
>   Antal
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Edvinas Kairys <edvinas.email at gmail.com>
> *Sent:* Wednesday, April 8, 2020 19:57
> *To:* syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
> *Subject:* [syslog-ng] mystique with spoof_address
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
>   Hello, i installed (yum install) following version on Centos 7 box.
>
> syslog-ng 3.5.6
> Installer-Version: 3.5.6
> Revision:
> Compile-Date: Dec 30 2015 19:57:24
> Available-Modules:
> affile,afprog,afsocket-notls,afsocket-tls,afsocket,afstomp,afuser,basicfuncs,confgen,cryptofuncs,csvparser,dbparser,linux-kmsg-format,syslogformat,system-source
> Enable-Debug: off
> Enable-GProf: off
> Enable-Memtrace: off
> Enable-IPv6: on
> Enable-Spoof-Source: on
> Enable-TCP-Wrapper: on
> Enable-Linux-Caps: on
> Enable-Pcre: on
>
> My goal is to forward syslog messages 'untouched' but to change the source
> address to original one. For that case i'm using spoof-address.
>
> My conf is like this:
>
> options {
>     flush_lines (0);
>     time_reopen (10);
>     log_fifo_size (1000);
>     chain_hostnames (off);
>     use_dns (no);
>     use_fqdn (no);
>     create_dirs (no);
>     keep_hostname (no);
>     mark-freq (0);
> };
> source s_network {
>      udp(ip(0.0.0.0) port(514) flags(no-parse));
>
> };
> destination d_syslog_tcp { network("10.13.33.125" transport("udp")
> port(5140) spoof-source(yes)); };
> log { source(s_network); destination(d_syslog_tcp); };
> log { source(s_network); filter(f_default); destination(d_mesg); };
> # Source additional configuration files (.conf extension only)
> @include "/etc/syslog-ng/conf.d/*.conf"
>
> Strange thing, that when I enable spoof-source, some packets are not
> transmitted to the destination. Even TCPDUMP says that it's sent, but i
> dont see some logs on destination box.
> Could it be something with spoof_source command ? Also i didn't compiled
> it because i saw that SPOOF functionality is on in syslog-ng -V output.
>
> Any suggestions ?
>
> Thanks
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320577362&sdata=K0I0S%2B23LGIkiW5mkWGC2bgBNuAwePKLF1v0QrHS34E%3D&reserved=0>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320587358&sdata=CHJzVIvJhwYtJ3eFmnr98wakkhXCp9EVPrw55NFxi1E%3D&reserved=0>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320587358&sdata=HCaUdgc%2BE0xVFOEnx1Vten5J0J2iKeJk8nYGsuCjWtc%3D&reserved=0>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200416/f8ed8abd/attachment.html>