Syslog-ng reverse dns lookup for data fields

Question

I would like to try a reverse-dns before storing the firewall logs. I know this is possibile in logstash but i don't know if syslog-ng can be configured to do the same. Actually my logs coming from pfsense are parsed with a csv parser:

parser p_pfsense {
    csv-parser(
        columns("PFSENSE.Rule_Number","PFSENSE.Sub_rule_number",...)
        delimiters(",")
    );
};

Then I already have all firewall fields such as ${PFSENSE.sourceip}, but I don't know if a fields can be processed by external script before storing it.

Please mind that I'm not asking for the hostname (${HOST}) of the sender, but of a ip field inside the log message.

Checking DNS before writing logs is risky. If the DNS times out your logs are backed up and you risk losing information if your server reboots before data is written. Reversing IPs later or asynchronously is safer. — chicks, Jun 17 '15 at 15:54
I agree with @chicks. IMHO the best is to have a logs server. — Jose Raul Barreras, Jun 18 '15 at 05:31
@chicks this is good comment. In my case I have a pfsense firewall logging in a remote syslog-ng server and here there is a connector to elastisearch. So I think this is already buffered by the remote transmission, don't you agree? Is there any other solution to avoid another log server like logstash? — Tobia, Jun 18 '15 at 06:16

score 0 · Answer 1 · answered Jun 17 '15 at 15:44

0

You can trigger an action for identified messages as explained here. In Suricata you can find an example of use.

answered Jun 17 '15 at 15:44

Jose Raul Barreras

723
4
12

Syslog-ng reverse dns lookup for data fields

1 Answers1