Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Joerg_T1 Absent Member.
Absent Member.
2217 views

Raw Syslog forwarding - preserve source IP

We would like to forward syslogs from a syslog connector to Logger and as additional destination to a syslog-ng system.

For forwarding to syslog-ng, we have configured as destination "Raw Syslog". Unfortunately, the original source IP does not arrive on syslog-ng, instead as source ip we see the ip address of the smart connector system. Is it possible to configure the raw syslog destination in some way to preserve the source ip address (spoofing)?

0 Likes
Reply
8 Replies
madhyasta Absent Member.
Absent Member.

Re: Raw Syslog forwarding - preserve source IP

Just to understand your scenario better you have

                                                                  __Logger (3)

Syslog Source(1)-> syslog connector(2) /

                                                                \ __syslogNG (4)

Assuming this is the scenario which IP you want at syslogNG?

0 Likes
Reply
superman Respected Contributor.
Respected Contributor.

Re: Raw Syslog forwarding - preserve source IP

src - Address appears to be one of the "HARD MACRO" fields on syslog-ng, which is extracted at the time syslog messages are received by syslog-ng sever.   There are a few options.  Namely, disable parsing of incoming messages completely, and manually parse the messages.   Another option, once messages received by syslog-ng, write the udp messages to syslog-ng destination using "TEMPLATE" option in syslog-ng.

0 Likes
Reply
edwin.martinez. Absent Member.
Absent Member.

Re: Raw Syslog forwarding - preserve source IP

Why are you NOT sending/forwarding your syslog entries to syslogNG and syslog connector in parallel? Is your syslog source device unable to accept/configure more than one log forwarding destination? This would be my preferred configuration as opposed to trying to forward syslog entries that may have been processed by a smart connector.

0 Likes
Reply
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Raw Syslog forwarding - preserve source IP

You'll want to enable the 'preserve raw event' on the connector, and then forward rawEvent out the other end. For sources that sent syslog msgs to the ConApp with a RFC-3164 compliant header, you'll have the original syslog source in the same place of the header:

<34>Oct 11 22:14:15 <syslog_source_ip_or_hostname> ...remainder of syslog message

What you may find though is that there are a number of syslog generating devices that violate this header or won't send a header at all.

0 Likes
Reply
grace.chang Absent Member.
Absent Member.

Re: Raw Syslog forwarding - preserve source IP

Was Richard's answer correct or helpful? If so, please mark as correct so users will know.

0 Likes
Reply
arcsight_siem Absent Member.
Absent Member.

Re: Raw Syslog forwarding - preserve source IP

Hi

Anyone have concrete solution to this? We want to forward raw syslog from smartconnector to another (non-HP) destination.

I fear if we use RAW syslogs format then we may loose the original source ip.

Regards

0 Likes
Reply
Gayan Acclaimed Contributor.
Acclaimed Contributor.

Re: Raw Syslog forwarding - preserve source IP

You can use syslog event broker for send raw logs to different destinations .

Cheers

Gayan

Mr
0 Likes
Reply
raptraj1 Honored Contributor.
Honored Contributor.

Re: Raw Syslog forwarding - preserve source IP

HI Richard,

I have the same issue/scenario, i wasn't fully able to understand your solution. can you please help me out on this.

1. I will enable "Preserver Raw Event" on connector (For logger destination)

2. But still the 2nd destination called "Raw syslog" will have the same configuration, right?,   how this can preserve the raw event for the SyslogNG

3. then forward rawEvent out the other end - i wasn't able to understand this, how can we achieve this

Your help will be highly appreciated

Thanks,

Rajkumar

Raj
0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.