MonitorWare Knowledge Base

[jchrisos]

Can anyone tell me why I don't always get the sender IP in my log files? I have one windows host sending event logs via syslog and the same server sends me Symantec Endpoint (SEPM) events via syslog too. At any rate, the majority of the time the syslog files include the sender IP address. But others it doesn't. Why is this?

Sample log without IP:
Mar 4 18:12:13 Service Control Manager: 7036: The LiveUpdate service entered the stopped state.
Mar 2 11:15:44 Service Control Manager: 7036: The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.
Mar 2 09:03:48 Service Control Manager: 7035: NT AUTHORITY\SYSTEM: The LiveUpdate service was successfully sent a start control.
Mar 3 13:31:51 Symantec AntiVirus: 7: New virus definition file loaded. Version: 120303e.

Sample log with IP:
Mar 4 21:36:07 192.168.0.83 Security: 538: NT AUTHORITY\ANONYMOUS LOGON: User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0x26420589) Logon Type: 3

Line in config to generate line:
if $fromhost-ip contains '192.168.0.83' then /var/log/192.168.0.83.windows

It is rsyslog that puts in the timestamp and sender IP, correct? If so, why would it not include the IP in the log?

[rgerhards]

If so, why would it not include the IP in the log?

Because the default template uses the sender-provided name, if such is present. That is according done to rfc3164/rfc5424. You can modify the template the include the IP.

[jchrisos]

Because the default template uses the sender-provided name, if such is present. That is according done to rfc3164/rfc5424. You can modify the template the include the IP.

Thank you very much for your reply. If what you said is true, wouldn't I see the sender-provided name in the actual syslog packet? I captured the datagrams and the format is exactly the same except except for the message itself, yet rsyslog provides the sender IP in the log for only one of them. The forum wouldn't let me attach the pcaps probably because they are binary so I zipped them instead - hope that worked.

At any rate, here is some more info

Rsyslog's output without the sender IP:
Mar 6 19:13:58 Service Control Manager: 7036: The LiveUpdate service entered the stopped state.
Application layer payload from packet capture:
<29>Mar 6 19:13:58 Service Control Manager: 7036: The LiveUpdate service entered the stopped state.

In this one, there is the sender IP (192.168.0.83).
Mar 6 21:13:32 192.168.0.83 Security: 538: NT AUTHORITY\ANONYMOUS LOGON: User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0x35FA4971) Logon Type: 3
Application layer payload from packet capture:
<29>Mar 6 21:13:32 Security: 538: NT AUTHORITY\ANONYMOUS LOGON: User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0x35FA4971) Logon Type: 3

If rsyslog includes the sender provided IP, wouldn't I see that somewhere in the syslog datagram? If so, I don't see it in there.

Thanks!!!!!

[jchrisos]

If it helps, here is the line from my rsyslog.conf I use for logging:

if $fromhost-ip contains '192.168.0.83' then /var/log/192.168.0.83.windows