MonitorWare Knowledge Base

hey guys,

i'm trying to set up an rsyslog server which collects all the logs from different windows servers and firewall appliances in a local domain and then forwards it to an eventia analyzer server in the same network. i can't send the messages to eventia directly - i have to collect them on a single log server first. (licensing reasons)

i'm using datagrams syslogagent 3.4 to create syslog messages on the windows machines and the other devices also create standard syslog messages.

now my problem is that the messages from the rsyslog server to the eventia analyzer are all tagged with the hostname of the rsyslog server. but i'd like the rsyslog server to forward messages with the original hostname. in other words spoof the hostname.

now i've read somewhere that rsyslog is supposed to be able to do that, but i was unable to find out how. can you help me with this?

regards,
Stephan

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Stephan,

can you please post a sample message from the datagram syslogagent. I guess it does not include the correct hostname inside the message (this usually is where the trouble starts). In that case, you may have luck with rewriting the message with the FROMHOST. See the config doc on how to use templates.

It may also be that the eventia server does not parse hostnames and simply uses the sender as hostname. In that case we are probably out of luck...

Rainer

wow, thanks for your quick reply

this is how it looks on the rsyslog server:

Feb 18 16:48:56 dc.sklab.local DC security[success] 538 SKLAB\XP-CLIENT-01$ Benutzerabmeldung:\177 Benutzername:XP-CLIENT-01$\177 Domäne:SKLAB\177 Anmeldekennung:(0x0,0x1522DC1)\177 Anmeldetyp:3\177

and this is from the Smartviewtracker client on the eventia log server:

Number: 78672
Date: 18Feb2008
Time: 17:18:59
Origin: syslog.sklab.local
Type: Log
Action:
Information: default_device_message: <38>DC security[success] 538 SKLAB\XP-CLIENT-01$ Benutzerabmeldung:\177 Benutzername:XP-CLIENT-01$\177 Domäne:SKLAB\177 Anmeldekennung:(0x0,0x153D1C8)\177 Anmeldetyp:3\177
facility: security/authorization messages
severity: Informational
Product: Syslog

XP-CLIENT-01 is a normal XP client logging off from the domain controller DC in the domain sklab.local
syslog is the name of the rsyslog server running on debian etch

i also forwarded it to a windows server running the kiwi daemon:

002-18-2008 17:19:14 Auth.Info syslog.sklab.local DC security[success] 538 SKLAB\XP-CLIENT-01$ Benutzerabmeldung:\177 Benutzername:XP-CLIENT-01$\177 Domõne:SKLAB\177 Anmeldekennung:(0x0,0x153D1C8)\177 Anmeldetyp:3\177

I think Kiwi doesn't know how to parse the hostname from the message. Same seems to apply for the eventia server. Can you sniff the packet off the wire?

well my hope was that rsyslog can spoof the adress of the original sender of the syslog message.

You mean spoof the address in the UDP packet? No, it can not do that and I have some concerns in doing so. Either way, I think that would not help you with the eventia server. Wouldn't that cause it to assume that there are several machines sending to it, thus again getting into trouble with the licensing?

I think the most appropriate thing to do here is have the sources sent the messages directly to the destination. I do not think that it is a valid case to send them to an interim instance (rsyslog) which then re-emits them looking as if it were the machines - and all of this just to circumvent some licensing issue. Doesn't look like the right thing to me...

Rainer