Raw Syslog forwarding - preserve source IP
We would like to forward syslogs from a syslog connector to Logger and as additional destination to a syslog-ng system.
For forwarding to syslog-ng, we have configured as destination "Raw Syslog". Unfortunately, the original source IP does not arrive on syslog-ng, instead as source ip we see the ip address of the smart connector system. Is it possible to configure the raw syslog destination in some way to preserve the source ip address (spoofing)?
Just to understand your scenario better you have
Syslog Source(1)-> syslog connector(2) /
\ __syslogNG (4)
Assuming this is the scenario which IP you want at syslogNG?
src - Address appears to be one of the "HARD MACRO" fields on syslog-ng, which is extracted at the time syslog messages are received by syslog-ng sever. There are a few options. Namely, disable parsing of incoming messages completely, and manually parse the messages. Another option, once messages received by syslog-ng, write the udp messages to syslog-ng destination using "TEMPLATE" option in syslog-ng.
Why are you NOT sending/forwarding your syslog entries to syslogNG and syslog connector in parallel? Is your syslog source device unable to accept/configure more than one log forwarding destination? This would be my preferred configuration as opposed to trying to forward syslog entries that may have been processed by a smart connector.
You'll want to enable the 'preserve raw event' on the connector, and then forward rawEvent out the other end. For sources that sent syslog msgs to the ConApp with a RFC-3164 compliant header, you'll have the original syslog source in the same place of the header:
<34>Oct 11 22:14:15 <syslog_source_ip_or_hostname> ...remainder of syslog message
What you may find though is that there are a number of syslog generating devices that violate this header or won't send a header at all.
Anyone have concrete solution to this? We want to forward raw syslog from smartconnector to another (non-HP) destination.
I fear if we use RAW syslogs format then we may loose the original source ip.
I have the same issue/scenario, i wasn't fully able to understand your solution. can you please help me out on this.
1. I will enable "Preserver Raw Event" on connector (For logger destination)
2. But still the 2nd destination called "Raw syslog" will have the same configuration, right?, how this can preserve the raw event for the SyslogNG
3. then forward rawEvent out the other end - i wasn't able to understand this, how can we achieve this
Your help will be highly appreciated