[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 629
  • Last Modified:

Syslog-NG per destination DNS

I have a syslog-ng server which is responsible for forwarding all my logs to a couple different servers for analysis. The latest product I'm working with requires IP addresses and not names to process my logs. I can't turn the DNS options off globally as it will break my other systems.

It looks like the use_dns option can be set per source but all of my logs come in through a single source - net udp port 514. Is there a ready way to handle these logs such that they be addressed by either dns name or IP?
0
timbrigham
Asked:
timbrigham
  • 2
1 Solution
 
timbrighamAuthor Commented:
In the end I opted to set up a dedicated Syslog-NG which only provides routing to my back end processing servers. I can drop it in to my existing architecture and moving the logging server residing at that IP with minimal disruption. With a combination of address spoofing and rewrites I managed to get the data massaged into a usable format. If anyone runs across a similar issue I'm posting my Syslog-NG config file.
cat syslog-ng.conf
@version: 3.0
#
# configuration file for syslog-ng, customized for remote logging
#

options { use_dns(no); keep_hostname(no); use_fqdn(no); chain_hostnames(no); flush_lines(1);};

rewrite r_ossim{subst("\t",";",value("HOST"),flags("global"));
subst("\t",";",value("MESSAGE"),flags("global"));               subst("\t",";",value("PROGRAM"),flags("global")); };

source s_remote{udp(ip(0.0.0.0) port(514));};

destination d_ossim
        {udp("ossim" port(514) spoof_source(yes) ); };

destination d_splunk
        {udp("splunk" port(515) spoof_source(yes) );};

log{
 source( s_remote );
 rewrite( r_ossim );
 destination( d_ossim );
 };
log
{
source( s_remote );
destination( d_splunk );
# Splunk has another instance of syslog-NG running which adds the server name by DNS. 
};

Open in new window

0
 
timbrighamAuthor Commented:
Solved myself.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now