do you have a route from the box running rsyslog to the source IP addresses that the logs are comeing from? if you don't then even though you see them in a tcpdump, your applications will not see the packets (there is a config option in linux to disable this feature)
David Lang On Mon, 19 Apr 2010, [email protected] wrote: > Date: Mon, 19 Apr 2010 15:05:26 +0100 > From: [email protected] > Reply-To: rsyslog-users <[email protected]> > To: rsyslog-users <[email protected]> > Subject: Re: [rsyslog] iptables and centralised logs with rsyslog and UDP > > Hi Aaron, > I've ran tcpdump on the log store (not the client) and I can see the packets > hitting the server, it seems to be rsyslog thats not picking them up. > > Using tcpdump and the first iptables config, gives the correct ip address > when tcpdump is run on the log store, but no message is shown in the log > files. > > Using tcpdump and the second iptables config, gives the ip address of > firewall when tcpdump is run on the log store and the message appears in log > file on disk. > > Hopefully that makes it a little more clear but apologies if I misunderstood > the reply > > Thanks > Kris > ---- Aaron Wiebe <[email protected]> wrote: >> Kris, it sounds as though your iptables rules aren't working very >> well for you. I suggest you set up wireshark or tcpdump on the log >> host machine and run the test again - I bet you would find that the >> traffic isn't making it. In the case that the IP isn't rewritten, >> that is expected. You're doing NAT, so rsyslog would have no other >> detail about the remote host you are originally delivering the data >> from. >> >> At this point I think most of your problems are iptables related, and >> not really rsyslog related. >> >> -Aaron >> >> On Mon, Apr 19, 2010 at 5:24 AM, <[email protected]> wrote: >>> Hi All, >>> >>> I have a problem that I'm not sure how to get around. >>> >>> I have 3 machines, a client, a firewall and a log store. The firewall is >>> Linux running iptables. The client and log store are on different networks >>> (X.X.4.X) and (X.X.5.X). The firewall is used to bridge these networks. >>> >>> I've configured rsyslog on the client (.4.) to send messages to the log >>> store (.5.) I've also configured a template on the log store to print the >>> $fromhost-ip and original raw message and I'm printing everything (*.*) to >>> the log files. >>> >>> When the firewall rewrites the source address (so they appear to be coming >>> from the .5.x network), the messages get logged. If I leave the source >>> address alone, the messages disappear. I know the packets are arriving at >>> the log store with both configurations because I can see this with TCPDUMP >>> on the log store. >>> >>> On the firewall I have the following configuration that I've put together. >>> >>> iptables -A POSTROUTING -t nat -o eth1 -j ACCEPT >>> iptables -A PREROUTING -t nat -i -p udp --dport 514 -j DNAT >>> --to-destination X.X.5.X >>> >>> (On my actual config the Xs are not blanked out). >>> >>> Unfortunately with this rule in place I do not see anything in the log file. >>> >>> Changing the first line of the iptables config to >>> >>> iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE >>> >>> means that I can now see output getting to my log files but the ipaddress >>> is incorrect. >>> >>> Is this a bug? or Is rsyslog doing some intelligent work under the hood to >>> detect ip address spoofing? I'm using ubuntu server 9.10. Unfortunately >>> using the hostname instead of the ipaddress in my case is not an option >>> >>> Hope someone can help >>> Kris >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
