what you should be doing is look at the hostname in the message rather than the
IP that the message appears to come from. As you have seen the IP is affected by
relays, and it's also affected by NAT.
omudpspoof can help, but it's a very substantial performance hit
David Lang
On Thu, 1 Apr 2021, Mariusz Kruk via
rsyslog wrote:
Date: Thu, 1 Apr 2021 16:10:07 +0200
From: Mariusz Kruk via rsyslog <[email protected]>
To: [email protected]
Cc: Mariusz Kruk <[email protected]>
Subject: Re: [rsyslog] forward to 2nd server
It's a tricky question and the answer is not that straightforward.
There is an option - using module called omudpspoof which sends out UDP
datagrams with spoofed source IP. However this requires rsyslog running
with root user (which is not the best idea) since it needs to manipulate
raw sockets.
But.
This works only for UDP. For TCP the connection will always have the
real source address since it obviously needs to do two-way traffic. And
TCP is much more reliable in terms of delivering messages than UDP.
So it probably would be best for you to "pack" the event on the source
server (for example - into a json structure) along with the source IP
and send it to the destination server to "unpack".
Unless of course your destination solution is some another system which
can't do this "unpacking".
On 01.04.2021 15:29, rsyslog--- via rsyslog wrote:
Hi,
I configured all my servers with to send all to a central server with
"*.* @192.168.0.10:2514" which works great.
For some test and proof-of-concepts, i'd like to have the syslog
messages also to a second logserver. However, adding "*.*
@192.168.0.22:514" on the central server 192.168.0.10 makes all
messages appear to originate from there instead of the original source
ip.
Because we don't wanna go edit all servers, nor do we like to have all
messages to go twice over the wan, *IS* there a way to send the syslog
from the first syslog server to the second while preserving the
original source ip ??
Thnx, Ton
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
