Can you provide more details about what you see in tcpdump and what your configuration of rsyslog is?
Aaron On Mon, Apr 19, 2010 at 10:05 AM, <[email protected]> wrote: > Hi Aaron, > I've ran tcpdump on the log store (not the client) and I can see the packets > hitting the server, it seems to be rsyslog thats not picking them up. > > Using tcpdump and the first iptables config, gives the correct ip address > when tcpdump is run on the log store, but no message is shown in the log > files. > > Using tcpdump and the second iptables config, gives the ip address of > firewall when tcpdump is run on the log store and the message appears in log > file on disk. > > Hopefully that makes it a little more clear but apologies if I misunderstood > the reply > > Thanks > Kris > ---- Aaron Wiebe <[email protected]> wrote: >> Kris, it sounds as though your iptables rules aren't working very >> well for you. I suggest you set up wireshark or tcpdump on the log >> host machine and run the test again - I bet you would find that the >> traffic isn't making it. In the case that the IP isn't rewritten, >> that is expected. You're doing NAT, so rsyslog would have no other >> detail about the remote host you are originally delivering the data >> from. >> >> At this point I think most of your problems are iptables related, and >> not really rsyslog related. >> >> -Aaron >> >> On Mon, Apr 19, 2010 at 5:24 AM, <[email protected]> wrote: >> > Hi All, >> > >> > I have a problem that I'm not sure how to get around. >> > >> > I have 3 machines, a client, a firewall and a log store. The firewall is >> > Linux running iptables. The client and log store are on different networks >> > (X.X.4.X) and (X.X.5.X). The firewall is used to bridge these networks. >> > >> > I've configured rsyslog on the client (.4.) to send messages to the log >> > store (.5.) I've also configured a template on the log store to print the >> > $fromhost-ip and original raw message and I'm printing everything (*.*) to >> > the log files. >> > >> > When the firewall rewrites the source address (so they appear to be coming >> > from the .5.x network), the messages get logged. If I leave the source >> > address alone, the messages disappear. I know the packets are arriving at >> > the log store with both configurations because I can see this with TCPDUMP >> > on the log store. >> > >> > On the firewall I have the following configuration that I've put together. >> > >> > iptables -A POSTROUTING -t nat -o eth1 -j ACCEPT >> > iptables -A PREROUTING -t nat -i -p udp --dport 514 -j DNAT >> > --to-destination X.X.5.X >> > >> > (On my actual config the Xs are not blanked out). >> > >> > Unfortunately with this rule in place I do not see anything in the log >> > file. >> > >> > Changing the first line of the iptables config to >> > >> > iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE >> > >> > means that I can now see output getting to my log files but the ipaddress >> > is incorrect. >> > >> > Is this a bug? or Is rsyslog doing some intelligent work under the hood to >> > detect ip address spoofing? I'm using ubuntu server 9.10. Unfortunately >> > using the hostname instead of the ipaddress in my case is not an option >> > >> > Hope someone can help >> > Kris >> > >> > >> > >> > >> > >> > >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com >> > >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
