Display original source of message when logs are aggregated through rsyslog server

I am hoping you can give me a hand with an issue that I am having. I have a number of servers in a DMZ that are logging to a central rsyslog server and then forwarding these messages to a KiwiSyslog server. Unfortunately when this happens all of the messages received by Kiwi are labelled with the hostname/ip of the rsyslog server and not their original source. I am unable to enable UDP Spoofing on the RSyslog server as the firewall will only allow traffic from this servers IP and not the spoofed addresses.


Take the following example:
InternalServer1 -> KiwiSyslogServer
-Kiwi is able to resolve the name of InternalServer1 and everything works fine.

DMZServer1 -> DMZRSyslogServer -> KiwiSyslogServer
-Kiwi is not able to resolve the name of DMZServer1 as the incoming messages are stamped with the IPAddress of the DMZRSyslogServer


I noticed in the help documents that there is the option to modify a message by processing it with a script. The example they give for "Fields.VarPeerAddress" is very similar to what we want to happen:

"Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3)
The Fields.VarPeerAddres value would be 192.168.1.1."

So would a script similar to the following work? Anyone have any experience with this?

"Function Main()
  ' Replace DMZServerIP with ActualSourceIP within the message hostname
Fields. = Replace(Fields., "123.123.123.123", Fields.VarPeerAddress)
  ' Return OK to tell syslog that the script ran correctly.
Main = "OK"
  End Function"

Thanks,
Ryan


Top Replies

Parents
  • Hi Ryan,

    Looking at your original post, it looks to me like your problem is how you configure the forwarding from the RSyslog server rather than forwarding from Kiwi.

    Kiwi already has the ability to forward whilst retaining the original (source) address - see image below.

    pastedImage_0.png

    Google should be your friend to resolve this and a quick look found this URL

    rsyslog - Syslog forwarding loses original hostname - Server Fault

    Dog

  • Hello,

    I have the same problem.

    My schema is like this:

    Clients(Apps, servers, devices) ---> Relay (rsyslog on linux) ---> Syslog distant (Kiwi syslog)

    If I use raw (text only without priority) as log  format fOn the nard drive logs are OK , but not in the console.

    So for me kiwi is adding the  data of the transaction with the relay I  mean  date, time and hostname of the relay.

    May be it is necessary to use a parser and feeding a display with the parser output.

    But I do not know why in the fist place kiwi is adding all this extra information.

    If I use another rsyslog in palce of kiwi we  do not have this problem.

    Sincerilly

Reply
  • Hello,

    I have the same problem.

    My schema is like this:

    Clients(Apps, servers, devices) ---> Relay (rsyslog on linux) ---> Syslog distant (Kiwi syslog)

    If I use raw (text only without priority) as log  format fOn the nard drive logs are OK , but not in the console.

    So for me kiwi is adding the  data of the transaction with the relay I  mean  date, time and hostname of the relay.

    May be it is necessary to use a parser and feeding a display with the parser output.

    But I do not know why in the fist place kiwi is adding all this extra information.

    If I use another rsyslog in palce of kiwi we  do not have this problem.

    Sincerilly

Children
No Data