In this post we bring you another sneak peek at some of the good stuff in the upcoming release of Orion 10, and this one is all about keepin’ it real when it comes to forwarding Syslog messages. Many of you have Syslog messages sent to Orion where you may do some filtering or parsing before forwarding those messages on to another Syslog server or NMS. Prior to Orion 10, when these messages were forwarded from Orion they would appear as if they were forwarded from the IP address of the Orion server, thus losing the IP of the actual source from which the Syslog message originated. In Orion 10 we’ve given you a few additional options in terms of retaining the source IP when forwarding those Syslog messages from the Orion server. Let’s take a look at some Syslog messages being sent to the Orion server located at 10.199.15.54.
Here we see a bunch of Syslog messages being forwarded to Orion from 10.199.15.64. We are sending these Syslog messages from the Kiwi Syslog Generator at that IP. Orion is then going to forward these messages to another server located at 10.199.15.40. Let’s take a look at what those messages look like.
Notice the problem? Although the source IP from which the Syslog messages originate is .64, Orion is forwarding the messages as if they came from .54. In other words, once the messages reach 10.199.15.40, we’ve lost the the source IP from which the messages originated. Let’s take a look at how to fix that.
Here we see the screen for editing the action for the Syslog rule that is forwarding our Syslog messages from the Orion server to 10.199.15.40. Note the highlighted area. You can now configure the action to retain the original source IP of the message. There are a couple of ways to do this. Here we have selected the spoofing option, which we’re able to do by having WinPcap installed on the Orion server. Now that we’ve reconfigured the forwarding rule with these options enabled, let’s take a look at the Syslog messages again at 10.199.15.40.
Notice the two highlighted entries. The Syslog messages are now showing the source IP from which they originated instead of the IP of the Orion server. Voila!
There are a couple of additional Syslog related features in Orion 10; more on those in a future post.