Syslog-NG two relay server issue

0
votes

I am trying to forward logs through two syslog-ng relay server, which adds the first relay server IP as a source and in my SIEM, I am seeing all logs are coming from the first syslog relay server.

Setup is below.

Client --> Syslog-Relay1 ---> Syslog-Relay2 ---> SIEM

In SIEM I am seeing all the log source as Syslog-Relay1. I have played with multiple option, but no hope yet. Any idea what I am missing here ? I am not finding any proper documents / forums which explains this setup. This we are looking to meet some specific log flow, in case if you have a question why I am trying to achieve this. Thanks in advance

Following is my configuration:

Syslog-Relay1

@version:3.5
@include "scl.conf"

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/
options {
    time-reap(30);
    mark-freq(10);
#    keep-hostname(yes);
    keep-hostname(no);
    log_msg_size(65536);
    log_fifo_size(10000);
    threaded(yes);
    flush_lines(100);
    use_dns(no);
    stats_freq(60);
    mark_freq(36400);
    use_fqdn(no);
#    chain-hostnames(yes);
    chain-hostnames(no);
    };


source s_syslog_over_network {
        network(
                ip(0.0.0.0)
                log-fetch-limit(200)
                log-iw-size(1000000)
                keep-alive(yes)
                max_connections(10000)
                port(9999)
                transport("tcp")
                flags(no-parse)
        );
};


 destination d_syslog_tcp {
       network(
                "10.12.86.98"
                transport("tcp")
                port(12229)
        );
};

log {
        source(s_syslog_over_network);
        destination(d_syslog_tcp);
};

Syslog-Relay2

@version:3.5
@include "scl.conf"

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/
options {
    time-reap(30);
    mark-freq(10);
#    keep-hostname(yes);
    keep-hostname(no);
    log_msg_size(65536);
    log_fifo_size(10000);
    threaded(yes);
    flush_lines(100);
    use_dns(no);
    stats_freq(60);
    mark_freq(36400);
    use_fqdn(no);
#    chain-hostnames(yes);
    chain-hostnames(no);

    };


source s_syslog_over_network {
        network(
                ip(0.0.0.0)
                log-fetch-limit(200)
                log-iw-size(1000000)
                keep-alive(yes)
                max_connections(10000)
                port(12229)
                transport("tcp")
               flags(no-parse)
        );
};



destination d_syslog_tcp {
        network(
                "10.12.86.76"
                transport("tcp")
                port(12221)
        );
};

log {
        source(s_syslog_over_network);
        destination(d_syslog_tcp);
};
1
syslogsyslog-ng
Hi, have you tried the tips described in balabit.com/documents/syslog-ng-ose-latest-guides/en/… and balabit.com/documents/syslog-ng-ose-latest-guides/en/… ?Robert Fekete
yes. I indeed followed the guide and like I said, all issues are started when we introduce the second relay.xor_lord

1 Answers

1
votes

If you want to use the Client's IP address in SIEM, you have to:

  1. set keep-hostname(no) and use-dns(no) on Syslog-Relay1

This will discard the orginal HOST field of the messages of Client and use the IP address of Client instead.

  1. set keep-hostname(yes) on Syslog-Relay2

On Syslog-Relay1, the HOST field of the message was overwritten. You want to keep this and forward to SIEM.

  1. remove flags(no-parse) from s_syslog_over_network on Syslog-Relay2

The IP of Client is stored in the message, so it has to be parsed before forwarding towards SIEM.