Mailing List Archive

forward to 2nd server
Hi,

I configured all my servers with to send all to a central server with
"*.*  @192.168.0.10:2514" which works great.

For some test and proof-of-concepts, i'd like to have the syslog
messages also to a second logserver. However, adding "*.*
@192.168.0.22:514" on the central server 192.168.0.10 makes all messages
appear to originate from there instead of the original source ip.

Because we don't wanna go edit all servers, nor do we like to have all
messages to go twice over the wan, *IS* there a way to send the syslog
from the first syslog server to the second while preserving the original
source ip ??

Thnx, Ton


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: forward to 2nd server [ In reply to ]
It's a tricky question and the answer is not that straightforward.

There is an option - using module called omudpspoof which sends out UDP
datagrams with spoofed source IP. However this requires rsyslog running
with root user (which is not the best idea) since it needs to manipulate
raw sockets.

But.

This works only for UDP. For TCP the connection will always have the
real source address since it obviously needs to do two-way traffic. And
TCP is much more reliable in terms of delivering messages than UDP.

So it probably would be best for you to "pack" the event on the source
server (for example - into a json structure) along with the source IP
and send it to the destination server to "unpack".

Unless of course your destination solution is some another system which
can't do this "unpacking".

On 01.04.2021 15:29, rsyslog--- via rsyslog wrote:
> Hi,
>
> I configured all my servers with to send all to a central server with
> "*.*  @192.168.0.10:2514" which works great.
>
> For some test and proof-of-concepts, i'd like to have the syslog
> messages also to a second logserver. However, adding "*.*
> @192.168.0.22:514" on the central server 192.168.0.10 makes all
> messages appear to originate from there instead of the original source
> ip.
>
> Because we don't wanna go edit all servers, nor do we like to have all
> messages to go twice over the wan, *IS* there a way to send the syslog
> from the first syslog server to the second while preserving the
> original source ip ??
>
> Thnx, Ton
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: forward to 2nd server [ In reply to ]
what you should be doing is look at the hostname in the message rather than the
IP that the message appears to come from. As you have seen the IP is affected by
relays, and it's also affected by NAT.

omudpspoof can help, but it's a very substantial performance hit

David Lang

On Thu, 1 Apr 2021, Mariusz Kruk via
rsyslog wrote:

> Date: Thu, 1 Apr 2021 16:10:07 +0200
> From: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Mariusz Kruk <mkr@safecomp.com>
> Subject: Re: [rsyslog] forward to 2nd server
>
> It's a tricky question and the answer is not that straightforward.
>
> There is an option - using module called omudpspoof which sends out UDP
> datagrams with spoofed source IP. However this requires rsyslog running
> with root user (which is not the best idea) since it needs to manipulate
> raw sockets.
>
> But.
>
> This works only for UDP. For TCP the connection will always have the
> real source address since it obviously needs to do two-way traffic. And
> TCP is much more reliable in terms of delivering messages than UDP.
>
> So it probably would be best for you to "pack" the event on the source
> server (for example - into a json structure) along with the source IP
> and send it to the destination server to "unpack".
>
> Unless of course your destination solution is some another system which
> can't do this "unpacking".
>
> On 01.04.2021 15:29, rsyslog--- via rsyslog wrote:
>> Hi,
>>
>> I configured all my servers with to send all to a central server with
>> "*.*  @192.168.0.10:2514" which works great.
>>
>> For some test and proof-of-concepts, i'd like to have the syslog
>> messages also to a second logserver. However, adding "*.*
>> @192.168.0.22:514" on the central server 192.168.0.10 makes all
>> messages appear to originate from there instead of the original source
>> ip.
>>
>> Because we don't wanna go edit all servers, nor do we like to have all
>> messages to go twice over the wan, *IS* there a way to send the syslog
>> from the first syslog server to the second while preserving the
>> original source ip ??
>>
>> Thnx, Ton
>>
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>> if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: forward to 2nd server [ In reply to ]
To used to working with subnets but this looks like the simplest solution!
No idea how i could have missed that.
Now I see we need to fix a few FQDN's (but that's okay) and it can work
as good as subnets

Thnx!
//Ton

On 4/1/21 5:21 PM, David Lang via rsyslog wrote:
> what you should be doing is look at the hostname in the message rather
> than the IP that the message appears to come from. As you have seen
> the IP is affected by relays, and it's also affected by NAT.
>
> omudpspoof can help, but it's a very substantial performance hit
>
> David Lang
>
>  On Thu, 1 Apr 2021, Mariusz Kruk via rsyslog wrote:
>
>> Date: Thu, 1 Apr 2021 16:10:07 +0200
>> From: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
>> To: rsyslog@lists.adiscon.com
>> Cc: Mariusz Kruk <mkr@safecomp.com>
>> Subject: Re: [rsyslog] forward to 2nd server
>>
>> It's a tricky question and the answer is not that straightforward.
>>
>> There is an option - using module called omudpspoof which sends out
>> UDP datagrams with spoofed source IP. However this requires rsyslog
>> running with root user (which is not the best idea) since it needs to
>> manipulate raw sockets.
>>
>> But.
>>
>> This works only for UDP. For TCP the connection will always have the
>> real source address since it obviously needs to do two-way traffic.
>> And TCP is much more reliable in terms of delivering messages than UDP.
>>
>> So it probably would be best for you to "pack" the event on the
>> source server (for example - into a json structure) along with the
>> source IP and send it to the destination server to "unpack".
>>
>> Unless of course your destination solution is some another system
>> which can't do this "unpacking".
>>
>> On 01.04.2021 15:29, rsyslog--- via rsyslog wrote:
>>> Hi,
>>>
>>> I configured all my servers with to send all to a central server
>>> with "*.*  @192.168.0.10:2514" which works great.
>>>
>>> For some test and proof-of-concepts, i'd like to have the syslog
>>> messages also to a second logserver. However, adding "*.*
>>> @192.168.0.22:514" on the central server 192.168.0.10 makes all
>>> messages appear to originate from there instead of the original
>>> source ip.
>>>
>>> Because we don't wanna go edit all servers, nor do we like to have
>>> all messages to go twice over the wan, *IS* there a way to send the
>>> syslog from the first syslog server to the second while preserving
>>> the original source ip ??
>>>
>>> Thnx, Ton
>>>
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>>> POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.