Solved

Syslog-NG per destination DNS

Posted on 2011-03-18
2
601 Views
Last Modified: 2012-05-11
I have a syslog-ng server which is responsible for forwarding all my logs to a couple different servers for analysis. The latest product I'm working with requires IP addresses and not names to process my logs. I can't turn the DNS options off globally as it will break my other systems.

It looks like the use_dns option can be set per source but all of my logs come in through a single source - net udp port 514. Is there a ready way to handle these logs such that they be addressed by either dns name or IP?
0
Comment
Question by:timbrigham
  • 2
2 Comments
 
LVL 1

Accepted Solution

by:
timbrigham earned 0 total points
ID: 35184120
In the end I opted to set up a dedicated Syslog-NG which only provides routing to my back end processing servers. I can drop it in to my existing architecture and moving the logging server residing at that IP with minimal disruption. With a combination of address spoofing and rewrites I managed to get the data massaged into a usable format. If anyone runs across a similar issue I'm posting my Syslog-NG config file.
cat syslog-ng.conf
@version: 3.0
#
# configuration file for syslog-ng, customized for remote logging
#

options { use_dns(no); keep_hostname(no); use_fqdn(no); chain_hostnames(no); flush_lines(1);};

rewrite r_ossim{subst("\t",";",value("HOST"),flags("global"));
subst("\t",";",value("MESSAGE"),flags("global"));               subst("\t",";",value("PROGRAM"),flags("global")); };

source s_remote{udp(ip(0.0.0.0) port(514));};

destination d_ossim
        {udp("ossim" port(514) spoof_source(yes) ); };

destination d_splunk
        {udp("splunk" port(515) spoof_source(yes) );};

log{
 source( s_remote );
 rewrite( r_ossim );
 destination( d_ossim );
 };
log
{
source( s_remote );
destination( d_splunk );
# Splunk has another instance of syslog-NG running which adds the server name by DNS. 
};

Open in new window

0
 
LVL 1

Author Closing Comment

by:timbrigham
ID: 35184123
Solved myself.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now