[News]

News:

[theofilos]

theofilos

theofilos

• Guest

I'd like to forward all received syslog messages to another centralized syslog server, so i start syslogd with -r and -h options. The problem is that when the message reaches the final syslog, it reports the hostname of the middle syslog server, not the hostname of first machine's message. Any suggestions?

(first machine) ---> (middle machine) ---> (last machine)

Thanx in advance

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

About the only hope I can think of for this is syslog-ng, but I'm not 100% sure it'll do what you want.  syslog-ng can be found at http://www.balabit.com/products/syslog_ng/

[mintzy]

mintzy

mintzy

• Guest

Is there any scrubbing or other mods of the data being performed on the middle server?

Let us know the purpose of the middle server. If it is only a network topology reason, you can use it as a proxy.

Use nc to tunnel the traffic from the end stations to the final destination. This will keep the syslog data raw and intact.

I like to use netcat to create a tcp tunnel for syslog messages. Just set it up to listen on the local stations and pipe it to the middle server with another tunnel to the end station. This also adds some security.

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

That's a very good idea.  It really does depend on what is being done on the intermediate host.  If nothing, then it seems like a big hassle for not much return over having syslogs go directly from the first host to the third host.

[rgerhards]

rgerhards

rgerhards

Visit rgerhards's website.

Show rgerhards's last posts.

Show general stats for rgerhards.

• 
• Newbie
• Posts: 176

You may also want to have a look at sdsc syslog:

http://security.sdsc.edu/software/sdsc-syslog/

I think it supports it via RFC3195/COOKED.

Rainer
See my page about syslog.

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

Just a quick follow-up on this.  syslog-ng has an option called keep_hostname() that will rewrite the hostname as the message is passed on.  You would need to be running syslog-ng on the syslog server in the middle, though.

[rgerhards]

rgerhards

rgerhards

Visit rgerhards's website.

Show rgerhards's last posts.

Show general stats for rgerhards.

• 
• Newbie
• Posts: 176

Also following up on this topic after being away from the forum for quite a while. With the rsyslog project I work on you can do this easily (actually, it was a design goal). The key is that RFC3164 compliant syslog is being used, which permits transmission of the original hostname over several relays.

In order to keep secure, rsyslog also support (as part of the free open source project) native TLS capability (in fact, I am proud to say it was the world's first implementation of the upcoming syslog/TLS RFC ). Details can be found here:

http://www.rsyslog.com/doc-rsyslog_secure_tls.html

Rsyslog also offers ample additional communication options, including the capability to locally buffer messages when the receiver is not online.

I hope this information is useful.