Rsyslog Forwarding – How to Use Original Source IP Over TLS

rsyslogsslsyslog

I'm trying to forward all syslog messages over TLS from our enviroment to an external syslog server (dest.syslog.example.com) using rsyslog. Unfortunately the source IP is changed to that of the relay host (fwd.syslog.example.com). I would like it to send the original source IP instead of the IP of the relay host while adhering to the RSYSLOG_SyslogProtocol23Format format.

Current rsyslog configuration relevant for forwarding the syslog messages over TLS:

$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca.crt
# Run driver in TLS mode
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name

$ActionSendStreamDriverPermittedPeer dest.syslog.example.com
$LocalHostName fwd.syslog.example.com
# Forward logging
*.* @@(o)dest.syslog.example.com:6514;RSYSLOG_SyslogProtocol23Format

Would it be possible to modify the fromhost-ip to the original source IP?

Best Answer

I'm not sure if this is sufficient, but the built-in template RSYSLOG_SyslogProtocol23Format is defined as

"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% 
 %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

and you can replace HOSTNAME by fromhost or fromhost-ip:

template(name="myFormat" type="string"
   string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %fromhost% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")
*.* @@(o)dest.syslog.example.com:6514;myFormat

Related Solutions

Syslog forwarding loses original hostname

Personally I would recommend using syslog-ng for your internal server - it provides a whole lot more than rsyslog. Of specific interest in your case it provides some much better handling for managing / rewriting / etc for the hostnames.

If you decide to stick with rsyslog this configuration does preserve both the remote and local hostnames - it is what I used before switching to syslog-ng.

$ModLoad imuxsock.so
$ModLoad imklog.so      
$ModLoad imudp.so
$UDPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

I also was using the "-c 4" options in my init script, if it matters.

Forwarding from rsyslog to syslog-ng over TCP not working (although packets are reaching server)

Problem was tcpwrappers which was obvious once I set up a test syslog-ng instance and ran it with debug output turned on. Adding the following clause to /etc/hosts.allow did the trick

syslog-ng: 10.0.0.0/255.0.0.0

Also realised that we didn't handle syslog-ng's internal messages (which may well have told us what the problem was). Have now added the following lines to do this ...

# Deal with syslog-ng's own messages
source s_internal { internal(); };
destination d_internal {file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_internal); };

Best Answer

Related Solutions

Syslog forwarding loses original hostname

Forwarding from rsyslog to syslog-ng over TCP not working (although packets are reaching server)

Related Topic