Solved

Syslog-NG per destination DNS

Posted on 2011-03-18
2
602 Views
Last Modified: 2012-05-11
I have a syslog-ng server which is responsible for forwarding all my logs to a couple different servers for analysis. The latest product I'm working with requires IP addresses and not names to process my logs. I can't turn the DNS options off globally as it will break my other systems.

It looks like the use_dns option can be set per source but all of my logs come in through a single source - net udp port 514. Is there a ready way to handle these logs such that they be addressed by either dns name or IP?
0
Comment
Question by:timbrigham
  • 2
2 Comments
 
LVL 1

Accepted Solution

by:
timbrigham earned 0 total points
ID: 35184120
In the end I opted to set up a dedicated Syslog-NG which only provides routing to my back end processing servers. I can drop it in to my existing architecture and moving the logging server residing at that IP with minimal disruption. With a combination of address spoofing and rewrites I managed to get the data massaged into a usable format. If anyone runs across a similar issue I'm posting my Syslog-NG config file.
cat syslog-ng.conf
@version: 3.0
#
# configuration file for syslog-ng, customized for remote logging
#

options { use_dns(no); keep_hostname(no); use_fqdn(no); chain_hostnames(no); flush_lines(1);};

rewrite r_ossim{subst("\t",";",value("HOST"),flags("global"));
subst("\t",";",value("MESSAGE"),flags("global"));               subst("\t",";",value("PROGRAM"),flags("global")); };

source s_remote{udp(ip(0.0.0.0) port(514));};

destination d_ossim
        {udp("ossim" port(514) spoof_source(yes) ); };

destination d_splunk
        {udp("splunk" port(515) spoof_source(yes) );};

log{
 source( s_remote );
 rewrite( r_ossim );
 destination( d_ossim );
 };
log
{
source( s_remote );
destination( d_splunk );
# Splunk has another instance of syslog-NG running which adds the server name by DNS. 
};

Open in new window

0
 
LVL 1

Author Closing Comment

by:timbrigham
ID: 35184123
Solved myself.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now