Hello,
I already took a look at How to override "device.ip" meta with the right one?
We're using TCP Syslog for security and reglamentory reasons, we can't spoof the source ip.
We're using Balabit log forwarders to forward a huge quantity of logs into our VLC's. "Device.ip" is getting populated with the IP's of the log forwarders which is causing a lot of problems..
Has anybody found a solution for this ?
Thank you
Hi Kevin,
Thank you for your post.
We have a document here that was written by Dave Glover
if you change the below to use tcp instead of udp does that work?
Can you verify with
tcpdump –A port 514
that the template is taking effect?
Here is the document:
Use at your own risk. This is not blessed by engineering, however …….
Using the following templates does not require the spoofing settings to be used in the relays.
I prefer this method over the spoofing method as you will see below the relay server ip is not lost and can be quite useful in troubleshooting the flow of logs though the relays
Rsyslog format – Needs Rsyslog 6.x and above for the function %timestamp:::date-unixtimestamp% to work (if you are on version 5.x this will no longer work as a change was made in 10.3.3 to require the unix timestamps)
$EscapeControlCharactersOnReceive off à this is needed for snare, but doesn’t hurt anything by being there
$template NWLDfmt,"[][][%FROMHOST-IP%][%timestamp:::date-unixtimestamp%][] %rawmsg%\n"
*.* @@10.12.236.228:514;NWLDfmt
If you are using Syslog-NG the settings are as follows:
Make sure of the following
keep_hostname(no)
use_dns (no)
destination d_syslog_RSA_udp { udp("1.1.1.1" port (514) template("[][][$HOST][$UNIXTIME][] $MSGHDR$MSG\n")); };
If you are relaying snare, it uses control characters in the header which mess with syslog-ng so you need to use the following template for NG
destination d_syslog_RSA_udp { udp("1.1.1.1" port (514) template("[][][$HOST][$UNIXTIME][] $DATE $TIME $HOST $MSGHDR$MSG\n")); };
To check what is being received by the log collector/VLC you can run:
tcpdump –A port 514
And you should see something like the following (this is coming from snare):
[][][10.12.236.206][1398440147][] <13>Apr 25 11:35:47 test-r2 MSWinEventLog,0,Security,87,Fri Apr 25 11:35:46 2014,4719,Microsoft-Windows-Security-Auditing,WORKGROUP\TEST-R2$,N/A,Success Audit,test-r2,Audit Policy Change,,System audit policy was changed. Subject: Security ID: S-1-5-18 Account Name: TEST-R2$ Account Domain: WORKGROUP Logon ID: 0x3e7 Audit Policy Change: Category: Account Logon Subcategory: Kerberos Service Ticket Operations Subcategory GUID: {0CCE9240-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added,69
This format will populate the device.ip with the value from the third []. What is great about using this format is the syslog forwarder system is not lost, it is called out in the forwarder meta key as shown below
Hope that helps