Tagging/modifying syslog-ng messages from different sources using same IP

Question

Greetings. First of all, thanks for take your time and read this question; apologies by my poor English. I’m really n00b about syslog-ng, but I did the job and reading syslog-ng-ose-admin-guide.pdf and I still can’t solved my problem.

This is my scenario: I work in a company which supply cloud security services to customers. An appliance with virtual machines (VMs) using VMWare ESXi 6.5 is installed in customer’s premise as part of our services, as describe below:

VMs offering security services with syslog-ng client configuration.
Splunk Forwarder (UF) VM with syslog-ng server configuration.
VMs running Ubuntu 16.04.02 and syslog-ng version is 3.5

In our cloud premise, we running Splunk Enterprise for collect/correlate/analyze logs.

In this appliance, all VMs are configured using a static no-routable IP (172.16.X.X) and VMs with syslog-ng clients forwards selected logs to syslog-ng server. UF relays this collected logs to SE. This configuration is holded in ALL customers.

This appliance is configured in such way each VM had . So, by example; if VM1 have IP 172.16.1.1, VM2 172.16.1.2, in the customer’s premise cust1, cust2 and cust3 VM1 have the same IP 172.16.1.1 and so on.

So, this is our problem: when SE receive logs from VMs via UF, we can’t identify who is data owner’s, because VMs had same IP in all customers so when we inspect data from Splunk asking for 172.16.1.1, we don’t know if results comes from cust1, cust2 or cust3. In fact, the results is a mess of cust1, cust2 and cust3 logs, we believe. Furthermore, VMs perform some inspections in customer's premise, so it's possible find entries for, by example, a PC with IP 10.10.1.1 in VM1 log and VM2 log; so if syslog-ng clients send this logs to syslog-ng server, how we can know if an entry belongs to VM1 log or VM2 log?

Reading the mentioned PDF, I found we can modify syslog-ng message with tagging. So, by identify log’s customers properly, we think we can modify message adding an unique customer ID, so customer’s logs can be consulting and correlated in SE without confusing.

But I don’t know which commands/option/capabilities in syslog-ng I should use in order to tagging customer’s logs as described before.

So, this is my questions: is tagging a real solution to my problem? If it is, how I should use tagging in syslog-ng configuration? Can you provide me some examples? Are there other ways to solve my problem?

Please, I really N00b about syslog-ng and any help will be appreciated, even if you consider basic your support, guide, advice or answer. I really open to syslog-ng 101 answers.

Please, let me note if you need further explanation about my problem, I hope I had described enough.

Thank you very much and best regards,

Rafael

Answer 1

Here are a couple of notes and ideas about the problem:

• Tagging can be a good solution for you. However, by default syslog-ng does not forward tags from a syslog-ng client to the syslog-ng server. If you add tags on the client, you must explicitly include the tags in the forwarded messages, and extract the value of the tag on the server. How to do this depends on the protocol and message format you use. If you use the network() driver, you must use a template that includes the tag in the message, and parse it somehow on the server. A better way is to use the syslog() driver and include the tags in the SDATA part of the message (you can find an example for this in this blogpost: https://czanik.blogs.balabit.com/2015/03/using-rfc5424-syslog-to-forward-file-names/ ). Yet another way is to send the messages in JSON format.
• If you use TLS to encrypt the communication between the syslog-ng client and the server, newer syslog-ng versions can use information from the client certificate as macros. So if your client hosts have unique certificates, you can use this info to identify them: https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-macros.html#macro-tls-x509
• Also, if your clients have unique hostnames (even if their IP addresses are not unique), check out the hostname-related macros in their messages ($HOST_FROM, $FULLHOST_FROM), depending on your environment, they might contain the information you need.
• If you can separate your customers somehow on your syslog-ng server (for example, every customer site sends the messages to a separate port or IP address of the server), so that you can assign a separate source on the server to every client, then you can use the host-override() option of the source driver to assign a unique hostname to the messages.

Let us know if the above is of help to you, or if you need further assistance.