Thanks David, Adding the routes solved my issue. Kris
---- [email protected] wrote: > do you have a route from the box running rsyslog to the source IP > addresses that the logs are comeing from? if you don't then even though > you see them in a tcpdump, your applications will not see the packets > (there is a config option in linux to disable this feature) > > David Lang > > On Mon, 19 Apr > 2010, [email protected] wrote: > > > Date: Mon, 19 Apr 2010 15:05:26 +0100 > > From: [email protected] > > Reply-To: rsyslog-users <[email protected]> > > To: rsyslog-users <[email protected]> > > Subject: Re: [rsyslog] iptables and centralised logs with rsyslog and UDP > > > > Hi Aaron, > > I've ran tcpdump on the log store (not the client) and I can see the > > packets hitting the server, it seems to be rsyslog thats not picking them > > up. > > > > Using tcpdump and the first iptables config, gives the correct ip address > > when tcpdump is run on the log store, but no message is shown in the log > > files. > > > > Using tcpdump and the second iptables config, gives the ip address of > > firewall when tcpdump is run on the log store and the message appears in > > log file on disk. > > > > Hopefully that makes it a little more clear but apologies if I > > misunderstood the reply > > > > Thanks > > Kris > > ---- Aaron Wiebe <[email protected]> wrote: > >> Kris, it sounds as though your iptables rules aren't working very > >> well for you. I suggest you set up wireshark or tcpdump on the log > >> host machine and run the test again - I bet you would find that the > >> traffic isn't making it. In the case that the IP isn't rewritten, > >> that is expected. You're doing NAT, so rsyslog would have no other > >> detail about the remote host you are originally delivering the data > >> from. > >> > >> At this point I think most of your problems are iptables related, and > >> not really rsyslog related. > >> > >> -Aaron > >> > >> On Mon, Apr 19, 2010 at 5:24 AM, <[email protected]> wrote: > >>> Hi All, > >>> > >>> I have a problem that I'm not sure how to get around. > >>> > >>> I have 3 machines, a client, a firewall and a log store. The firewall is > >>> Linux running iptables. The client and log store are on different > >>> networks (X.X.4.X) and (X.X.5.X). The firewall is used to bridge these > >>> networks. > >>> > >>> I've configured rsyslog on the client (.4.) to send messages to the log > >>> store (.5.) I've also configured a template on the log store to print the > >>> $fromhost-ip and original raw message and I'm printing everything (*.*) > >>> to the log files. > >>> > >>> When the firewall rewrites the source address (so they appear to be > >>> coming from the .5.x network), the messages get logged. If I leave the > >>> source address alone, the messages disappear. I know the packets are > >>> arriving at the log store with both configurations because I can see this > >>> with TCPDUMP on the log store. > >>> > >>> On the firewall I have the following configuration that I've put together. > >>> > >>> iptables -A POSTROUTING -t nat -o eth1 -j ACCEPT > >>> iptables -A PREROUTING -t nat -i -p udp --dport 514 -j DNAT > >>> --to-destination X.X.5.X > >>> > >>> (On my actual config the Xs are not blanked out). > >>> > >>> Unfortunately with this rule in place I do not see anything in the log > >>> file. > >>> > >>> Changing the first line of the iptables config to > >>> > >>> iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE > >>> > >>> means that I can now see output getting to my log files but the ipaddress > >>> is incorrect. > >>> > >>> Is this a bug? or Is rsyslog doing some intelligent work under the hood > >>> to detect ip address spoofing? I'm using ubuntu server 9.10. > >>> Unfortunately using the hostname instead of the ipaddress in my case is > >>> not an option > >>> > >>> Hope someone can help > >>> Kris > >>> > >>> > >>> > >>> > >>> > >>> > >>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com > >>> > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
