Solved

Syslog-NG per destination DNS

Posted on 2011-03-18
2
604 Views
Last Modified: 2012-05-11
I have a syslog-ng server which is responsible for forwarding all my logs to a couple different servers for analysis. The latest product I'm working with requires IP addresses and not names to process my logs. I can't turn the DNS options off globally as it will break my other systems.

It looks like the use_dns option can be set per source but all of my logs come in through a single source - net udp port 514. Is there a ready way to handle these logs such that they be addressed by either dns name or IP?
0
Comment
Question by:timbrigham
  • 2
2 Comments
 
LVL 1

Accepted Solution

by:
timbrigham earned 0 total points
ID: 35184120
In the end I opted to set up a dedicated Syslog-NG which only provides routing to my back end processing servers. I can drop it in to my existing architecture and moving the logging server residing at that IP with minimal disruption. With a combination of address spoofing and rewrites I managed to get the data massaged into a usable format. If anyone runs across a similar issue I'm posting my Syslog-NG config file.
cat syslog-ng.conf
@version: 3.0
#
# configuration file for syslog-ng, customized for remote logging
#

options { use_dns(no); keep_hostname(no); use_fqdn(no); chain_hostnames(no); flush_lines(1);};

rewrite r_ossim{subst("\t",";",value("HOST"),flags("global"));
subst("\t",";",value("MESSAGE"),flags("global"));               subst("\t",";",value("PROGRAM"),flags("global")); };

source s_remote{udp(ip(0.0.0.0) port(514));};

destination d_ossim
        {udp("ossim" port(514) spoof_source(yes) ); };

destination d_splunk
        {udp("splunk" port(515) spoof_source(yes) );};

log{
 source( s_remote );
 rewrite( r_ossim );
 destination( d_ossim );
 };
log
{
source( s_remote );
destination( d_splunk );
# Splunk has another instance of syslog-NG running which adds the server name by DNS. 
};

Open in new window

0
 
LVL 1

Author Closing Comment

by:timbrigham
ID: 35184123
Solved myself.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
looking for a CENTOS ISO to download with x window installed 2 39
Wired Network vs Wireless 12 58
Internet Service Provider 3 51
E-mail delayed during DNS server reboot 8 39
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question