Comments (16)
You need to make sure the spoof-source support is compiled into syslog-ng
(check syslog-ng -V) and make sure that spoof_source(yes) is set on the
destination from the forwarding server. Also, are you sure you're running with
the syslog-ng.conf in the nodes/conf directory? You should copy that to
/usr/local/syslog-ng/etc/syslog-ng.conf and make edits there so that code
updates do not overwrite your local edits.
Original comment by [email protected]
on 22 Mar 2012 at 1:02
from enterprise-log-search-and-archive.
I'm going to close this for now, but I'll reopen if your issue is not fixed.
Original comment by [email protected]
on 24 Mar 2012 at 3:29
- Changed state: Done
from enterprise-log-search-and-archive.
Here is my 'syslog-ng -V' output:
Enable-Threads: off
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-IPv6: on
Enable-Spoof-Source: on <-- this means I have spoof-source support
Enable-TCP-Wrapper: off
Enable-SSL: on
Enable-SQL: off
Enable-Linux-Caps: on
Enable-Pcre: on
Enable-Pacct: off
I have determined my syslog-ng install is using the conf file @
/usr/local/syslog-ng/etc/ . However, adding options for spoof_source(yes);
causes a syntax error. Can you point me in another direction?
Thank you.
Original comment by [email protected]
on 26 Mar 2012 at 10:49
from enterprise-log-search-and-archive.
Can you attach the config or a snippet as well as the error?
Original comment by [email protected]
on 27 Mar 2012 at 1:26
- Changed state: New
from enterprise-log-search-and-archive.
It was my understanding of syslog, that I needed to set keep_hostname(yes) and
chain_hostname(no). Do you know how they are different? (chain_hostname causes
the same error)
syslog-ng.conf file:
@version: 3.2
options {
spoof_source(yes);
};
source s_network {
tcp();
udp();
};
parser p_db {
db-parser(file("/usr/local/elsa/node/conf/patterndb.xml"));
};
filter f_rewrite_cisco_program { match('^(%[A-Z]+\-\d\-[0-9A-Z]+): ([^\n]+)'
value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
filter f_rewrite_cisco_program_2 {
match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d
{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?: [A-Z]{3})?: (%[^:]+): ([^\n]+)'
value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]: (%[^:]+):
([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
Error:
Stopping syslog-ng
Starting syslog-ng
Error parsing main, syntax error, unexpected LL_IDENTIFIER, expecting '}' in
/usr/local/syslog-ng-3.2.4/etc/syslog-ng.conf at line 4, column 2:
spoof_source(yes);
^^^^^^^^^^^^
syslog-ng documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Original comment by [email protected]
on 27 Mar 2012 at 2:34
from enterprise-log-search-and-archive.
My syslog-ng server is recieving syslog forwards from another syslog-ng server.
The trouble is, my syslog-ng server keeps the IP of the other syslog-ng server
instead of the original syslog messages sender. However, I can see the correct
IP when I do a TCPdump of the network interface of my syslog-ng server.
Original comment by [email protected]
on 27 Mar 2012 at 2:56
from enterprise-log-search-and-archive.
Ah, you need spoof_source(yes) as an option in your destination, like this:
destination d_other_syslog {
udp("10.0.2.24" port(514) spoof_source(yes));
};
Original comment by [email protected]
on 27 Mar 2012 at 3:17
from enterprise-log-search-and-archive.
I am not sending anything from my syslog-ng server, just recieving... I would
think if I did that it wouldn't make a difference because I am sending it to
ELSA.
Am I thinking about this correctly?
Thanks!
Original comment by [email protected]
on 27 Mar 2012 at 6:45
from enterprise-log-search-and-archive.
You don't need spoof_source at all on the syslog-ng instance that writes to
ELSA. ELSA's template uses $SOURCEIP which is the actual IP address it sees on
the wire when it receives a log. If you have logs chained through hosts, then
the forwarding hosts need to spoof_source.
Original comment by [email protected]
on 27 Mar 2012 at 6:52
from enterprise-log-search-and-archive.
I just want to mention that we have a similar scenario; in our case we have
hosts behind NAT, which send logs directly to the ELSA syslog-ng instance. All
of these hosts end up with the $SOURCEIP of the NAT router.
Prior to using ELSA we had been using syslog_ng to write to flat files with the
keep_hostnames option, which worked as expected.
I guess this is a feature request, but it would be nice to have some way for
ELSA to do something with keep_hostnames, even if it means using name
resolution to turn those hostnames back into IP addresses internally.
spoof_source seems like it won't work in many network situations, and it will
definitely not cover our particular situation (spoofed packets from the NAT
router we own would be discarded by the real routers we don't control between
it and our ELSA server).
(Yes, I know our network situation is bad, but it's outside of my control at
the moment, and I'm sure there are others suffering similar fates)
Original comment by [email protected]
on 30 Mar 2012 at 5:35
from enterprise-log-search-and-archive.
This should be no problem as it's all just syslog-ng config. You can use $HOST
instead of $SOURCEIP in the syslog-ng template and turn on keep_hostnames(yes).
ELSA uses the inet_aton() function on the host given (which will be $HOST and
not $SOURCEIP if you change it) which does DNS resolving on its own.
Performance of this is untested, so I can't say if the DNS will be cached in
any way or if that will significantly degrade throughput.
Original comment by [email protected]
on 30 Mar 2012 at 6:14
from enterprise-log-search-and-archive.
That sounds like a great solution for us - thanks for the prompt reply.
Original comment by [email protected]
on 30 Mar 2012 at 6:56
from enterprise-log-search-and-archive.
It looks like the correct IP address comes across in the Message section of the
syslog packet (see below). Couldn't I have Syslog-ng look for that rewrite
$SCOURCEIP to the IP I found?
sample tcpdump:
5:43:35.545651 IP (tos 0x0, ttl 64, id 15401, offset 0, flags [DF], proto UDP
(17), length 176)
ip-xxx-xxx-xxx-xxx.xxx.xxx.xxxx > ncc1701d.xx.xxx.xxx.syslog: [udp sum ok] SYSLOG, length: 148
Facility local7 (23), Severity error (3)
Msg: Apr 9 15:43:35 144.38.100.189/144.38.100.189 592905: Apr 9 15:43:34 MDT: %LINK-3-UPDOWN: Interface FastEthernet2/0/46, changed state to down\0x0a
Thanks.
Original comment by [email protected]
on 9 Apr 2012 at 9:51
from enterprise-log-search-and-archive.
Or... is there a quick way to increase the size of the MSGONLY field to include
more than "%LINK-3-UPDOWN: Interface FastEthernet2/0/46, changed state to down"
like the entire Msg: ?
Thanks!
Original comment by [email protected]
on 9 Apr 2012 at 10:02
from enterprise-log-search-and-archive.
The $MSG macro should be what you're looking for. I think some sort of
rewrite() function could work here, but it will take some work.
Original comment by [email protected]
on 9 Apr 2012 at 10:13
from enterprise-log-search-and-archive.
Original comment by [email protected]
on 30 Apr 2012 at 1:54
- Changed state: Done
from enterprise-log-search-and-archive.
Related Issues (20)
- Internal Server Error [500] with Dashboard
- line "1node(s) with ... logs..." doesn't update and offline dahsboards HOT 1
- node update failure HOT 5
- Parsing is not successful on the web interface HOT 1
- Installer fails on FreeBSD - can provide a patch unless the project is inactive
- Unable to open elsa dash board from Apache HOT 3
- distribution packaging
- lumberjack support
- Question about UNIQUE KEY for "fields" table
- Log Size Limit Problem HOT 1
- Parser for BIND queries not classifying/parsing data from udp(); or log file (custom class and fields)
- The date of the "From" field is locked in a day and not advance. HOT 1
- Trouble installing ELSA correctly HOT 1
- Email Alerts not working - Send to connector opens about:blank window containing log data
- Unable to view stats HOT 1
- Results options after search not working
- Query Log not working
- has Transform is Broken
- Missing Archive. Index not buffering
- Include_data doesnt include data on email
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from enterprise-log-search-and-archive.