Domain name in source field?


#1

my graylog is listening to a sophos firewall with a syslog udp raw input on port 514. i cant see the domain name of the firewall in the dashboard. the field “source” just shows me the ip. i guess the field “gl2_remote_ip” should display the ip, and it does… is it possible to extract the domain name in the field “source”?


(Jan Doberstein) #2

Hej @kistov

you should check the Documentation about extractors and the processing pipelines.


#3

i just tried to extract this information with grok pattern, but everytime i just to the ip of the firewall… will the source field be overwritten, if i create a new pipline? it would be nice, when graylog gets this info automatically out of the dns, maybe with nslookup or something


(Jan Doberstein) #4

hej @kistov

you can enable rdns lookups on the input - but that will do a DNS Lookup vor every message. That might have impact on the performance.

With Pipelines or extractors you are able to overwrite every available field of the message. You can even delete fields or do some kind of transformation.

/jd


#5

hi @jan,
the problem is, that i only receive messages from the firewall, when i set the input to raw/plaintext udp and there is no option to force rdns. if i change the input to syslog udp, i’ll only get msgs from our router…

i just created an extractor as additional field in the dashboard for the field “source” named “dns” which replaces the ip address with the dns name. thats ok for the information in the dashboard, but its hard coded and if the ip of the firewall changes somedays, the extractor will be useless… is there no other way to make this? im new here and dont know the syntax for pipelines, rules and extractors that good


(Jan Doberstein) #6

hej @kistov

why not create multiple inputs for different sources of data?


#7

@jan
because i got the error message “address already in use” in the logs and the input failed to start. im forced to use udp 514!

with this input i can receive messages from sophos firewall and lancom router, but i cant force rdns:
Syslog (UDP) (RAW) Raw/Plaintext UDP 1 RUNNING
bind_address:
0.0.0.0
override_source:

port:
514
recv_buffer_size:
262144

and with this input i can only receive messages from lancom router:
test Syslog UDP 1 FAILED

allow_override_date:
 true
bind_address:
 0.0.0.0
expand_structured_data:
 false
force_rdns:
 true
override_source:
 <empty>
port:
 514
recv_buffer_size:
 262144
store_full_message:
 false

(@_bkeep) #8

Have you tried setting a port like 10514 for a new input?


#9

its not possible to change the port on lancom router for outgoing syslog messanges, i’m forced to work with port 514 on one input to receive messages from both devices


(Philipp Ruland) #10

Hey @kistov,

how about using iptables to reroute the different source ips to different ports? This is what I have done.
Something of the lines

/sbin/iptables --table nat --append PREROUTING --protocol udp --source xxx.xxx.xxx.xxx --dport 514 --jump REDIRECT --to-ports 5141
/sbin/iptables --table nat --append PREROUTING --protocol udp --source yyy.yyy.yyy.yyy --dport 514 --jump REDIRECT --to-ports 5142

(Taken from here)

Greetings - Phil


#11

@DerPhlipsi, @alias454
thanks for all your replies, i think i keep my “bastellösung”, because i dont think that the ip of our firewall will ever be changed… its an acceptable solution just for displaying the domain name from our firewall on dashboards


(Michael P) #12

Hi Kistov,

Was there anything special you had to do to get Sophos to send the logs, I am having issues, I can get Sophos to send on 12514 but Graylog never sees it but messages are recorded and i cant see anything in the query. If i just change the syslog ip in Sophos i get all the messages as normal on a windows log server …

Any suggestions would be appreciated.

Thanks


(conor mcgreat) #13

I had same trouble. I fixed. :medal_military: