This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Display original source of message when logs are aggregated through rsyslog server

I am hoping you can give me a hand with an issue that I am having. I have a number of servers in a DMZ that are logging to a central rsyslog server and then forwarding these messages to a KiwiSyslog server. Unfortunately when this happens all of the messages received by Kiwi are labelled with the hostname/ip of the rsyslog server and not their original source. I am unable to enable UDP Spoofing on the RSyslog server as the firewall will only allow traffic from this servers IP and not the spoofed addresses.


Take the following example:
InternalServer1 -> KiwiSyslogServer
-Kiwi is able to resolve the name of InternalServer1 and everything works fine.

DMZServer1 -> DMZRSyslogServer -> KiwiSyslogServer
-Kiwi is not able to resolve the name of DMZServer1 as the incoming messages are stamped with the IPAddress of the DMZRSyslogServer


I noticed in the help documents that there is the option to modify a message by processing it with a script. The example they give for "Fields.VarPeerAddress" is very similar to what we want to happen:

"Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3)
The Fields.VarPeerAddres value would be 192.168.1.1."

So would a script similar to the following work? Anyone have any experience with this?

"Function Main()
  ' Replace DMZServerIP with ActualSourceIP within the message hostname
Fields. = Replace(Fields., "123.123.123.123", Fields.VarPeerAddress)
  ' Return OK to tell syslog that the script ran correctly.
Main = "OK"
  End Function"

Thanks,
Ryan


  • I don't think that will work.  To my knowledge there isn't a way to change the hostname field in the display. Maybe someone from the Solarwinds team can provide more info.

    You can change the filename to for log files by saving the VarPeerAddress to a Custom Variable and using that custom variable for the auto-split.

  • I don't think that it's just displaying the wrong origin, I think it's discarding the origin.

    Our intention is to use rsyslog to collect at remote sites and then forward to kiwi & logstash, but I don't know that it's going to work if this is a problem.  FWIW, Logstash shows the correct origin.

  • According to support, the only way this happens is to parse them into log files.

    Since our purpose was to forward to Orion from Kiwi and  we want aggregate then forward to a central server, that is not going to work.  From our perspective, that is improper handling of forwarded messages, which makes it a bug in the software.

  • Hi Ryan,

    Looking at your original post, it looks to me like your problem is how you configure the forwarding from the RSyslog server rather than forwarding from Kiwi.

    Kiwi already has the ability to forward whilst retaining the original (source) address - see image below.

    pastedImage_0.png

    Google should be your friend to resolve this and a quick look found this URL

    rsyslog - Syslog forwarding loses original hostname - Server Fault

    Dog

  • Did you get any further with this use case?

  • I think Dogeron​ was onto the correct answer.  Without seeing the config of the intermediate rsyslog server we can't assume it is forwarding the log message with the original source.  By default it will not; nor does Kiwi.

  • Hello,

    I have the same problem.

    My schema is like this:

    Clients(Apps, servers, devices) ---> Relay (rsyslog on linux) ---> Syslog distant (Kiwi syslog)

    If I use raw (text only without priority) as log  format fOn the nard drive logs are OK , but not in the console.

    So for me kiwi is adding the  data of the transaction with the relay I  mean  date, time and hostname of the relay.

    May be it is necessary to use a parser and feeding a display with the parser output.

    But I do not know why in the fist place kiwi is adding all this extra information.

    If I use another rsyslog in palce of kiwi we  do not have this problem.

    Sincerilly