Re: [rsyslog] how to get the original IP address in a relay chain

Tue, 16 Oct 2018 16:38:48 -0700 


Thanks David for your reply,
Actually i do the similar thing , i store the msg to "Relay Server" and use 
template to append the "fromhost-ip" , then use "imfile " to resend the msg 
with fromhost-ip to "log server" 
but this cause disk IO on relay server which worried about the disk performance 
when client are huge
 i never use JSON in rsyslog before, i will try you method later
Another thing want to conform is this solution involve disk IO on "relay 
server" ?
Thanks!


Regards!
/Wu
At 2018-10-17 06:28:19, "David Lang" <da...@lang.hm> wrote:
>On Wed, 17 Oct 2018, wuhe wrote:
>
>> Hi :
>>     want to check how to get the original IP address after forward twice in 
>> a relay chain?
>>     like in this chain, how can the "Log Server" get the IP address (not 
>> hostname ) of "Client A/B/C"
>>     {Client A, Client B, Client C} ----> {Relay Server} ----> {Log Server}   
>>        (udp is used for forward)
>
>using the standard syslog format you cannot do so because the relays do no 
>pass 
>that information on.
>
>What I do is I repackage the message as JSON so that I can add additional 
>metadata
>
>on the relay:
>
>set $!msg=$msg;
>set $!trusted!orig!ip = $fromhost-ip;
>
>etc (I also have the relays store the timestamp of when they processed the 
>log, 
>which relay processed it, parse the message, and do other cleanups)
>
>then define a forwarding format that has %$!% instead of $msg in it.
>
>then on the log server, you can extract the metadata or the original message
>
>David Lang
>_______________________________________________
>rsyslog mailing list
>http://lists.adiscon.net/mailman/listinfo/rsyslog
>http://www.rsyslog.com/professional-services/
>What's up with rsyslog? Follow https://twitter.com/rgerhards
>NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
>sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
>THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to