Syslog-NG两个中继服务器问题

时间:2017-10-30 13:11:22

标签: syslog syslog-ng

我正在尝试通过两个syslog-ng中继服务器转发日志,它将第一个中继服务器IP添加为源,在我的SIEM中,我看到所有日志都来自第一个syslog中继服务器。

设置如下。

客户 - > Syslog-Relay1 ---> Syslog-Relay2 ---> SIEM

在SIEM中,我将所有日志源视为Syslog-Relay1。我玩过多种选择,但还没有希望。知道我在这里缺少什么吗?我没有找到任何适当的文件/论坛来解释这个设置。我们希望满足一些特定的日志流,如果您有问题我为什么要尝试实现此目的。提前致谢

以下是我的配置:

日志-继电器1 

@version:3.5
@include "scl.conf"

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/
options {
    time-reap(30);
    mark-freq(10);
#    keep-hostname(yes);
    keep-hostname(no);
    log_msg_size(65536);
    log_fifo_size(10000);
    threaded(yes);
    flush_lines(100);
    use_dns(no);
    stats_freq(60);
    mark_freq(36400);
    use_fqdn(no);
#    chain-hostnames(yes);
    chain-hostnames(no);
    };


source s_syslog_over_network {
        network(
                ip(0.0.0.0)
                log-fetch-limit(200)
                log-iw-size(1000000)
                keep-alive(yes)
                max_connections(10000)
                port(9999)
                transport("tcp")
                flags(no-parse)
        );
};


 destination d_syslog_tcp {
       network(
                "10.12.86.98"
                transport("tcp")
                port(12229)
        );
};

log {
        source(s_syslog_over_network);
        destination(d_syslog_tcp);
};

日志-继电器2 

@version:3.5
@include "scl.conf"

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/
options {
    time-reap(30);
    mark-freq(10);
#    keep-hostname(yes);
    keep-hostname(no);
    log_msg_size(65536);
    log_fifo_size(10000);
    threaded(yes);
    flush_lines(100);
    use_dns(no);
    stats_freq(60);
    mark_freq(36400);
    use_fqdn(no);
#    chain-hostnames(yes);
    chain-hostnames(no);

    };


source s_syslog_over_network {
        network(
                ip(0.0.0.0)
                log-fetch-limit(200)
                log-iw-size(1000000)
                keep-alive(yes)
                max_connections(10000)
                port(12229)
                transport("tcp")
               flags(no-parse)
        );
};



destination d_syslog_tcp {
        network(
                "10.12.86.76"
                transport("tcp")
                port(12221)
        );
};

log {
        source(s_syslog_over_network);
        destination(d_syslog_tcp);
};

1 个答案:

答案 0 :(得分:1)

如果您想在SIEM中使用客户端的IP地址,您必须:

  1. 在Syslog-Relay1
    2. 上设置keep-hostname(no)use-dns(no)
      

    这将丢弃客户邮件的原始HOST字段   并使用客户端的IP地址。

    1. 在Syslog-Relay2上设置keep-hostname(yes)
      2.   

      在Syslog-Relay1上,邮件的HOST字段被覆盖。您   希望保持这一点并转发给SIEM。

      1. 从Syslog-Relay2上的flags(no-parse)删除s_syslog_over_network
        2.   

        客户端的IP存储在消息中,因此必须在转发给SIEM之前对其进行解析。

相关问题
最新问题