0

I have a centralized syslog-ng system that is taking in feeds from various servers, and putting it into storage. Fortunately, I was forward thinking and I have each system coming in on its own port, which helps me delineate which traffic is which.

I need to send some of this traffic to a network sensor running rsyslogd. But that sensor is only listening on 514, and I can't change that. But I need for the rsyslogd box to be able to pull apart the traffic, and to know where it came from originally, so that I can apply the right rewriting and sending to software on the sensor (basically, to template it all).

How can I do this? I know there is tagging on the syslog-ng box, but from what I see, that doesn't actually work for outbound UDP traffic.

jasonmclose
  • 1,667
  • 4
  • 22
  • 38

1 Answers1

0

If you use UDP, you can use the spoof-source() option of syslog-ng. It needs a syslog-ng package compiled with libnet. For details check the documentation at https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.7-guides/en/syslog-ng-ose-v3.7-guide-admin/html-single/index.html

Peter Czanik
  • 81
  • 5
  • Thanks for the reply Peter. I've tried this. I have spoof-source(yes) set, and recompiled syslog-ng with the --enable-spoof-source flag. But it doesn't seem to be working. – jasonmclose Oct 28 '15 at 14:11
  • I also tried adding in a tag into the message on the syslog-ng side, and then using `if $msg contains 'mytag'` in a .conf file on the rsylog.d side, but that doesn't seem to work as well. I can tcpdump the traffic and see the tag in the message, but rsyslogd isn't pulling out the traffic and putting it into the log file I want. – jasonmclose Oct 28 '15 at 14:13
  • Hi, unfortunately, tags are not part of the message by default. To send over tags to a destination, you have to explicitly put them in the destination template. – Robert Fekete Oct 29 '15 at 19:55