Hi Aaron, I've ran tcpdump on the log store (not the client) and I can see the packets hitting the server, it seems to be rsyslog thats not picking them up.
Using tcpdump and the first iptables config, gives the correct ip address when tcpdump is run on the log store, but no message is shown in the log files. Using tcpdump and the second iptables config, gives the ip address of firewall when tcpdump is run on the log store and the message appears in log file on disk. Hopefully that makes it a little more clear but apologies if I misunderstood the reply Thanks Kris ---- Aaron Wiebe <[email protected]> wrote: > Kris, it sounds as though your iptables rules aren't working very > well for you. I suggest you set up wireshark or tcpdump on the log > host machine and run the test again - I bet you would find that the > traffic isn't making it. In the case that the IP isn't rewritten, > that is expected. You're doing NAT, so rsyslog would have no other > detail about the remote host you are originally delivering the data > from. > > At this point I think most of your problems are iptables related, and > not really rsyslog related. > > -Aaron > > On Mon, Apr 19, 2010 at 5:24 AM, <[email protected]> wrote: > > Hi All, > > > > I have a problem that I'm not sure how to get around. > > > > I have 3 machines, a client, a firewall and a log store. The firewall is > > Linux running iptables. The client and log store are on different networks > > (X.X.4.X) and (X.X.5.X). The firewall is used to bridge these networks. > > > > I've configured rsyslog on the client (.4.) to send messages to the log > > store (.5.) I've also configured a template on the log store to print the > > $fromhost-ip and original raw message and I'm printing everything (*.*) to > > the log files. > > > > When the firewall rewrites the source address (so they appear to be coming > > from the .5.x network), the messages get logged. If I leave the source > > address alone, the messages disappear. I know the packets are arriving at > > the log store with both configurations because I can see this with TCPDUMP > > on the log store. > > > > On the firewall I have the following configuration that I've put together. > > > > iptables -A POSTROUTING -t nat -o eth1 -j ACCEPT > > iptables -A PREROUTING -t nat -i -p udp --dport 514 -j DNAT > > --to-destination X.X.5.X > > > > (On my actual config the Xs are not blanked out). > > > > Unfortunately with this rule in place I do not see anything in the log file. > > > > Changing the first line of the iptables config to > > > > iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE > > > > means that I can now see output getting to my log files but the ipaddress > > is incorrect. > > > > Is this a bug? or Is rsyslog doing some intelligent work under the hood to > > detect ip address spoofing? I'm using ubuntu server 9.10. Unfortunately > > using the hostname instead of the ipaddress in my case is not an option > > > > Hope someone can help > > Kris > > > > > > > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
