duplicate packet to another local host(SIEM)

Question

We have a Central Syslog server that we use to collect all logs from our hosts and recently got a SIEM that we also want to collect the logs.

We would like the Central Syslog server to duplicate the logs to the SIEM without changing the source IP/Source Mac. Not redirect as we would then not have the log in the Syslog server. So the end result would be that we send logs to the Central Syslog server and we would have a log in our Central Syslog server and in the SIEM from the IP of the asset that sent it to the Central syslog server.

The reasons we want to do this is.

1. Some devices will only allow us to forward logs to a single syslog device
2. Having to configure all devices to end logs to both is time consuming.
3. If we forward any logs from the Central Syslog server using rsyslog depending on the log the source will show as the Central Syslog server which is a nightmare for correlation on the SIEM. Some logs do not contain the origin so for those logs the SIEM assume the device that forwarded the logs is the source.

I was trying to do this with iptables but can only redirect the logs instead of sending a duplicate log.

Can this be done with IP tables or any other application. I am open to any recommendations.

Answer 1

You can try the iptables TEE target, but it has a restriction that the destination to copy the packet to must be on the same Layer 2 segment.

From the man page:

The TEE target will clone a packet and redirect this clone to another machine on the local network segment. In other words, the nexthop must be the target, or you will have to configure the nexthop to forward it further if so desired.

For example, on the server that receives the logs, you could do:

iptables -t mangle -A PREROUTING -p udp --dport 514 -j TEE --gateway 192.168.87.203

This would send a copy of the UDP packet, with original source address, to the given gateway IP address.