This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
Joerg_T1
Absent Member.
Absent Member.
‎2014-09-10 11:39
2936 views

Raw Syslog forwarding - preserve source IP

We would like to forward syslogs from a syslog connector to Logger and as additional destination to a syslog-ng system.

For forwarding to syslog-ng, we have configured as destination "Raw Syslog". Unfortunately, the original source IP does not arrive on syslog-ng, instead as source ip we see the ip address of the smart connector system. Is it possible to configure the raw syslog destination in some way to preserve the source ip address (spoofing)?

Labels (5)
1 other person had this problem.
0 Likes
Reply
Report Inappropriate Content
8 Replies
madhyasta
Absent Member.
Absent Member.
‎2014-09-14 17:06

Just to understand your scenario better you have

                                                                  __Logger (3)

Syslog Source(1)-> syslog connector(2) /

                                                                \ __syslogNG (4)

Assuming this is the scenario which IP you want at syslogNG?

0 Likes
Reply
Report Inappropriate Content
superman
Captain
Captain
‎2014-12-12 21:50

src - Address appears to be one of the "HARD MACRO" fields on syslog-ng, which is extracted at the time syslog messages are received by syslog-ng sever.   There are a few options.  Namely, disable parsing of incoming messages completely, and manually parse the messages.   Another option, once messages received by syslog-ng, write the udp messages to syslog-ng destination using "TEMPLATE" option in syslog-ng.

0 Likes
Reply
Report Inappropriate Content
edwin.martinez.
Absent Member.
Absent Member.
‎2015-02-05 09:49

Why are you NOT sending/forwarding your syslog entries to syslogNG and syslog connector in parallel? Is your syslog source device unable to accept/configure more than one log forwarding destination? This would be my preferred configuration as opposed to trying to forward syslog entries that may have been processed by a smart connector.

0 Likes
Reply
Report Inappropriate Content
rkent1
Fleet Admiral
Fleet Admiral
‎2015-04-30 03:39

You'll want to enable the 'preserve raw event' on the connector, and then forward rawEvent out the other end. For sources that sent syslog msgs to the ConApp with a RFC-3164 compliant header, you'll have the original syslog source in the same place of the header:

<34>Oct 11 22:14:15 <syslog_source_ip_or_hostname> ...remainder of syslog message

What you may find though is that there are a number of syslog generating devices that violate this header or won't send a header at all.

0 Likes
Reply
Report Inappropriate Content
grace.chang
Absent Member.
Absent Member.
‎2015-05-21 20:24

Was Richard's answer correct or helpful? If so, please mark as correct so users will know.

0 Likes
Reply
Report Inappropriate Content
arcsight_siem
Absent Member.
Absent Member.
‎2017-02-28 11:42

Hi

Anyone have concrete solution to this? We want to forward raw syslog from smartconnector to another (non-HP) destination.

I fear if we use RAW syslogs format then we may loose the original source ip.

Regards

0 Likes
Reply
Report Inappropriate Content
Gayan
Fleet Admiral
Fleet Admiral
‎2017-02-28 21:04

You can use syslog event broker for send raw logs to different destinations .

Cheers

Gayan

Mr
0 Likes
Reply
Report Inappropriate Content
raptraj1
Vice Admiral
Vice Admiral
‎2017-04-18 14:27

HI Richard,

I have the same issue/scenario, i wasn't fully able to understand your solution. can you please help me out on this.

1. I will enable "Preserver Raw Event" on connector (For logger destination)

2. But still the 2nd destination called "Raw syslog" will have the same configuration, right?,   how this can preserve the raw event for the SyslogNG

3. then forward rawEvent out the other end - i wasn't able to understand this, how can we achieve this

Your help will be highly appreciated

Thanks,

Rajkumar

Raj
0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.