Kris, it sounds as though your iptables rules aren't working very well for you. I suggest you set up wireshark or tcpdump on the log host machine and run the test again - I bet you would find that the traffic isn't making it. In the case that the IP isn't rewritten, that is expected. You're doing NAT, so rsyslog would have no other detail about the remote host you are originally delivering the data from.
At this point I think most of your problems are iptables related, and not really rsyslog related. -Aaron On Mon, Apr 19, 2010 at 5:24 AM, <[email protected]> wrote: > Hi All, > > I have a problem that I'm not sure how to get around. > > I have 3 machines, a client, a firewall and a log store. The firewall is > Linux running iptables. The client and log store are on different networks > (X.X.4.X) and (X.X.5.X). The firewall is used to bridge these networks. > > I've configured rsyslog on the client (.4.) to send messages to the log store > (.5.) I've also configured a template on the log store to print the > $fromhost-ip and original raw message and I'm printing everything (*.*) to > the log files. > > When the firewall rewrites the source address (so they appear to be coming > from the .5.x network), the messages get logged. If I leave the source > address alone, the messages disappear. I know the packets are arriving at the > log store with both configurations because I can see this with TCPDUMP on the > log store. > > On the firewall I have the following configuration that I've put together. > > iptables -A POSTROUTING -t nat -o eth1 -j ACCEPT > iptables -A PREROUTING -t nat -i -p udp --dport 514 -j DNAT --to-destination > X.X.5.X > > (On my actual config the Xs are not blanked out). > > Unfortunately with this rule in place I do not see anything in the log file. > > Changing the first line of the iptables config to > > iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE > > means that I can now see output getting to my log files but the ipaddress is > incorrect. > > Is this a bug? or Is rsyslog doing some intelligent work under the hood to > detect ip address spoofing? I'm using ubuntu server 9.10. Unfortunately using > the hostname instead of the ipaddress in my case is not an option > > Hope someone can help > Kris > > > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
