Logging, Syslog and Log Anaylsys Forums
March 14, 2010, 12:05:13 pm *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News:
   Home   WIKI BLOG Help Search Recent Topics GoogleTagged Login Register  
Pages: [1]
« previous next »
  Print  
Author Topic: rewrite source ip address  (Read 1561 times)
munthajeeb
Newbie
*
Offline Offline

Posts: 11


View Profile
« on: June 08, 2009, 09:25:49 am »
I have a requirement where the received syslog's source IP address needs to be changed.
This needs to be done not for all the syslogs but only for a selected few. When i searched
I found syslog-ng version 3.0 has a rewrite feature which rewrites parts of the syslog
before we can forward it. But this is only rewriting the source ip in the UDP layer and
does not change in the IP layer. The configuration i used in conf file is :

rewrite replace_source_ip{
        subst("10.168.128.235", "10.68.128.229", value("MESSAGE"));
}

Is there any way I can change the source IP value in IP layer ?
Logged
mutex
Administrator
Newbie
*****
Offline Offline

Posts: 895


View Profile
« Reply #1 on: June 08, 2009, 09:30:16 am »
Let me say what I think you're trying to do, and you can correct me if I'm wrong:

You want to send out syslog messages from a syslog-ng server to some other system.  You want some of the messages to have a source address (at the network layer) that is not the syslog-ng server's address.  Presumably because there is some intelligence in the receiving system around what host the syslog message is from.

Is that accurate?
Logged
munthajeeb
Newbie
*
Offline Offline

Posts: 11


View Profile
« Reply #2 on: June 08, 2009, 09:44:09 am »
Actually, devices are sending syslogs to syslog-ng server which is forwarding them
to another application. I just want to change the source IP of syslogs comming from
some devices.

Yes want to change them in the network layer.
Logged
mutex
Administrator
Newbie
*****
Offline Offline

Posts: 895


View Profile
« Reply #3 on: June 08, 2009, 09:53:29 am »
You'll need to reconfigure/recompile syslog-ng with the "--enable-spoof-source" argument given to "configure".

There should be a file with the distribution called "README.spoof" with more info.  I've never played with it, so I can't be a lot of help beyond that.
Logged
munthajeeb
Newbie
*
Offline Offline

Posts: 11


View Profile
« Reply #4 on: June 08, 2009, 09:59:14 am »
I did a snoop in the destination application and found the network layer shows the ip
address of the syslog server.  So I dont want to change that.
 
But the syslog layer shows an ipaddress of the device (50.50.50.50 shown below).
Which is what I want to change. Sorry for the confusion.

snoop output
------
..
SYSLOG:  ----- SYSLOG:   -----
SYSLOG:  
SYSLOG:  Priority: (BAD.FMT)
SYSLOG:  "Original Address=50.50.50.50 user.notice: SyslogGen: Origi"
SYSLOG:  
--------------------------
Logged
Pages: [1]
  Print  

« previous next »
 
Jump to:  

Information Security News | Jerry Bell's blog | Enterprise IT | Tropical Fish Information | Tropical Fish Forums
Powered by MySQL Powered by PHP Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC | Sitemap Valid XHTML 1.0! Valid CSS!