0

I would like to create a centralized logging using syslog-ng. I have to cover multiple offices with 1-2 public IPs and multiple other servers/devices running "in the cloud".

Just for the cloud servers everything working OK, but when I am want to collect logs from the different devices in the office I am loosing the hostname / source IP info of the devices. I only got the external public IP.

The syslog-ng version is 3.5.3 which is running on an Ubuntu 14.04 machine (in the cloud with public IP address).

My extra non default config file is the following /etc/syslog-ng/conf.d/logserver.conf :

source s_network_udp { syslog(ip(<syslog_server_public_ip>) transport("udp") keep-hostname(yes)); };
source s_network_tcp { tcp(ip(<syslog_server_public_ip>) port(514) keep-hostname(yes)); };


destination d_netlog { file("/var/log/remote/${HOST}.log"); };

log { source(s_network_udp); destination(d_netlog);};
log { source(s_network_tcp); destination(d_netlog);};

Every public server have its own $hostname.log file, but for the office devices I only got 1 big public_ip_of_office.log file.

The syslog-ng.conf file has the default configs. I am not sure the NAT-ing causing issues or not. I do not use any relay feature, I only have 1 syslog-ng server.

Any help would be great.

itoperatorguy
  • 1
  • 2

1 Answers1

0

Nat will hide the source IPs. It is not a syslog-ng / syslog issue.

You can use the keep-hostname(). But I would suggest to use that not.

If you allow me, I would suggest you some hint to improve your setup:

  • implement syslog-ng relay to the natboxes
  • use ietf syslog protocol instead legacy bsdlog, at least between the relay and the target server
  • if you implemented relays, then do not use the keep-hostname on the relays! That's your final chance to check at least the source ip of the sender.

With this kind of setup, the relay will see the real sourceIP, and it can add several metadata items in the sdata part of the ietf protocol, eg. the sourceIP.

György Pásztor
  • 11
  • 1