cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Keepin’ it Real – Retaining the Source IP

Product Manager

In this post we bring you another sneak peek at some of the good stuff in the upcoming release of Orion 10, and this one is all about keepin’ it real when it comes to forwarding Syslog messages.  Many of you have Syslog messages sent to Orion where you may do some filtering or parsing before forwarding those messages on to another Syslog server or NMS.  Prior to Orion 10, when these messages were forwarded from Orion they would appear as if they were forwarded from the IP address of the Orion server, thus losing the IP of the actual source from which the Syslog message originated.  In Orion 10 we’ve given you a few additional options in terms of retaining the source IP when forwarding those Syslog messages from the Orion server.  Let’s take a look at some Syslog messages being sent to the Orion server located at 10.199.15.54.

syslog_orion_server.

Here we see a bunch of Syslog messages being forwarded to Orion from 10.199.15.64.  We are sending these Syslog messages from the Kiwi Syslog Generator at that IP.  Orion is then going to forward these messages to another server located at 10.199.15.40.  Let’s take a look at what those messages look like.

syslog_source_IP_54.

 

Notice the problem?  Although the source IP from which the Syslog messages originate is .64, Orion is forwarding the messages as if they came from .54.  In other words, once the messages reach 10.199.15.40, we’ve lost the the source IP from which the messages originated.  Let’s take a look at how to fix that.

syslog_edit_action_spoof.

Here we see the screen for editing the action for the Syslog rule that is forwarding our Syslog messages from the Orion server to 10.199.15.40.  Note the highlighted area.  You can now configure the action to retain the original source IP of the message.  There are a couple of ways to do this.  Here we have selected the spoofing option, which we’re able to do by having WinPcap installed on the Orion server.  Now that we’ve reconfigured the forwarding rule with these options enabled, let’s take a look at the Syslog messages again at 10.199.15.40.

syslog_source_IP_64.

Notice the two highlighted entries.  The Syslog messages are now showing the source IP from which they originated instead of the IP of the Orion server.  Voila! 

There are a couple of additional Syslog related features in Orion 10; more on those in a future post.

About the Author
Let me introduce myself.  My name is Craig McDonald, and I come from the land of video games and stock trading, sprinkled with identity management, and, by the way, I like to write.  Checkered past, you say?  How did you end up in network management, you ask?  Perfectly valid questions; I will connect the dots for you and it will all make sense shortly. I studied journalism at the University of Texas at Austin where I had the opportunity to write for The Daily Texan and Texas Monthly.  Upon graduation I was faced with two options: move to a small town and start my career at an even smaller newspaper, or make a home in Austin and see where this crazy tech town would take me.  I chose the latter, and ended up working in support and managing QA for a popular MMORPG called Ultima Online (this was before WoW was a sparkle in Blizzard's eye). After a few years of policing the haXXorZ, overseeing a few in-game weddings, and shipping several expansion skus, I decided it was time for a change.  I remember the advice from one of my journalism professors when I asked about pursuing a graduate degree; his suggestion, "Go to business school!"  I heeded his advice, got accepted to the McCombs School of Business at the University of Texas, and started working on my MBA. While finishing my MBA at McCombs, I was presented with an opportunity to work for a company that developed online trading software (Charles Schwab, formerly CyberTrader).  This may seem a stretch from video games, but the client/server infrastructure and the uptime requirements for an MMORPG and a securities trading engine are quite similar.  Although the content and use cases are obviously very different, both require fast connections and the ability to allow users to log into the service at any time.  My next career move was into the enterprise software arena where I worked as a product manager for Sun Microsystems in the Identity Management space. Fast forward to today, I'm your newest product manager at SolarWinds.  I will be managing Toolset, VoiP, and eventually the Kiwi products.  Outside of the SolarWinds 'Borg' (assimilation is swift and definitive), I keep busy with my lovely wife, two beautiful kiddos, and a pug named Marley.  When they go to bed, I'm either watching a movie, reading a book (working on Atlas Shrugged, and it is work, indeed), or staring at the red circle of death on my XBOX 360.