Hi All, I have a problem that I'm not sure how to get around.
I have 3 machines, a client, a firewall and a log store. The firewall is Linux running iptables. The client and log store are on different networks (X.X.4.X) and (X.X.5.X). The firewall is used to bridge these networks. I've configured rsyslog on the client (.4.) to send messages to the log store (.5.) I've also configured a template on the log store to print the $fromhost-ip and original raw message and I'm printing everything (*.*) to the log files. When the firewall rewrites the source address (so they appear to be coming from the .5.x network), the messages get logged. If I leave the source address alone, the messages disappear. I know the packets are arriving at the log store with both configurations because I can see this with TCPDUMP on the log store. On the firewall I have the following configuration that I've put together. iptables -A POSTROUTING -t nat -o eth1 -j ACCEPT iptables -A PREROUTING -t nat -i -p udp --dport 514 -j DNAT --to-destination X.X.5.X (On my actual config the Xs are not blanked out). Unfortunately with this rule in place I do not see anything in the log file. Changing the first line of the iptables config to iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE means that I can now see output getting to my log files but the ipaddress is incorrect. Is this a bug? or Is rsyslog doing some intelligent work under the hood to detect ip address spoofing? I'm using ubuntu server 9.10. Unfortunately using the hostname instead of the ipaddress in my case is not an option Hope someone can help Kris _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
