Solved

Syslog-NG per destination DNS

Posted on 2011-03-18
2
613 Views
Last Modified: 2012-05-11
I have a syslog-ng server which is responsible for forwarding all my logs to a couple different servers for analysis. The latest product I'm working with requires IP addresses and not names to process my logs. I can't turn the DNS options off globally as it will break my other systems.

It looks like the use_dns option can be set per source but all of my logs come in through a single source - net udp port 514. Is there a ready way to handle these logs such that they be addressed by either dns name or IP?
0
Comment
Question by:timbrigham
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 1

Accepted Solution

by:
timbrigham earned 0 total points
ID: 35184120
In the end I opted to set up a dedicated Syslog-NG which only provides routing to my back end processing servers. I can drop it in to my existing architecture and moving the logging server residing at that IP with minimal disruption. With a combination of address spoofing and rewrites I managed to get the data massaged into a usable format. If anyone runs across a similar issue I'm posting my Syslog-NG config file.
cat syslog-ng.conf
@version: 3.0
#
# configuration file for syslog-ng, customized for remote logging
#

options { use_dns(no); keep_hostname(no); use_fqdn(no); chain_hostnames(no); flush_lines(1);};

rewrite r_ossim{subst("\t",";",value("HOST"),flags("global"));
subst("\t",";",value("MESSAGE"),flags("global"));               subst("\t",";",value("PROGRAM"),flags("global")); };

source s_remote{udp(ip(0.0.0.0) port(514));};

destination d_ossim
        {udp("ossim" port(514) spoof_source(yes) ); };

destination d_splunk
        {udp("splunk" port(515) spoof_source(yes) );};

log{
 source( s_remote );
 rewrite( r_ossim );
 destination( d_ossim );
 };
log
{
source( s_remote );
destination( d_splunk );
# Splunk has another instance of syslog-NG running which adds the server name by DNS. 
};

Open in new window

0
 
LVL 1

Author Closing Comment

by:timbrigham
ID: 35184123
Solved myself.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month8 days, 22 hours left to enroll

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question