How can I separate logs based on source IP or hostname behind NAT using syslog-ng? -
i create centralized logging using syslog-ng. have cover multiple offices 1-2 public ips , multiple other servers/devices running "in cloud".
just cloud servers working ok, when want collect logs different devices in office loosing hostname / source ip info of devices. got external public ip.
the syslog-ng version 3.5.3 running on ubuntu 14.04 machine (in cloud public ip address).
my non default config file following /etc/syslog-ng/conf.d/logserver.conf :
source s_network_udp { syslog(ip(<syslog_server_public_ip>) transport("udp") keep-hostname(yes)); }; source s_network_tcp { tcp(ip(<syslog_server_public_ip>) port(514) keep-hostname(yes)); };   destination d_netlog { file("/var/log/remote/${host}.log"); };  log { source(s_network_udp); destination(d_netlog);}; log { source(s_network_tcp); destination(d_netlog);}; every public server have own $hostname.log file, office devices got 1 big public_ip_of_office.log file.
the syslog-ng.conf file has default configs. not sure nat-ing causing issues or not. not use relay feature, have 1 syslog-ng server.
any great.
nat hide source ips. not syslog-ng / syslog issue.
you can use keep-hostname(). suggest use not.
if allow me, suggest hint improve setup:
- implement syslog-ng relay natboxes
- use ietf syslog protocol instead legacy bsdlog, @ least between relay , target server
- if implemented relays, not use keep-hostname on relays! that's final chance check @ least source ip of sender.
with kind of setup, relay see real sourceip, , can add several metadata items in sdata part of ietf protocol, eg. sourceip.
Comments
Post a Comment