Domain name in source field?

Graylog Central (peer support)
1

my graylog is listening to a sophos firewall with a syslog udp raw input on port 514. i cant see the domain name of the firewall in the dashboard. the field “source” just shows me the ip. i guess the field “gl2_remote_ip” should display the ip, and it does… is it possible to extract the domain name in the field “source”?

2

Hej @kistov

you should check the Documentation about extractors and the processing pipelines.

3

i just tried to extract this information with grok pattern, but everytime i just to the ip of the firewall… will the source field be overwritten, if i create a new pipline? it would be nice, when graylog gets this info automatically out of the dns, maybe with nslookup or something

4

hej @kistov

you can enable rdns lookups on the input - but that will do a DNS Lookup vor every message. That might have impact on the performance.

With Pipelines or extractors you are able to overwrite every available field of the message. You can even delete fields or do some kind of transformation.

/jd

5

hi @jan,
the problem is, that i only receive messages from the firewall, when i set the input to raw/plaintext udp and there is no option to force rdns. if i change the input to syslog udp, i’ll only get msgs from our router…

i just created an extractor as additional field in the dashboard for the field “source” named “dns” which replaces the ip address with the dns name. thats ok for the information in the dashboard, but its hard coded and if the ip of the firewall changes somedays, the extractor will be useless… is there no other way to make this? im new here and dont know the syntax for pipelines, rules and extractors that good

6

hej @kistov

why not create multiple inputs for different sources of data?

7

@jan
because i got the error message “address already in use” in the logs and the input failed to start. im forced to use udp 514!

with this input i can receive messages from sophos firewall and lancom router, but i cant force rdns:
Syslog (UDP) (RAW) Raw/Plaintext UDP 1 RUNNING
bind_address:
0.0.0.0
override_source:

port:
514
recv_buffer_size:
262144

and with this input i can only receive messages from lancom router:
test Syslog UDP 1 FAILED

allow_override_date:
 true
bind_address:
 0.0.0.0
expand_structured_data:
 false
force_rdns:
 true
override_source:
 <empty>
port:
 514
recv_buffer_size:
 262144
store_full_message:
 false
8

Have you tried setting a port like 10514 for a new input?

9

its not possible to change the port on lancom router for outgoing syslog messanges, i’m forced to work with port 514 on one input to receive messages from both devices

10

Hey @kistov,

how about using iptables to reroute the different source ips to different ports? This is what I have done.
Something of the lines

/sbin/iptables --table nat --append PREROUTING --protocol udp --source xxx.xxx.xxx.xxx --dport 514 --jump REDIRECT --to-ports 5141
/sbin/iptables --table nat --append PREROUTING --protocol udp --source yyy.yyy.yyy.yyy --dport 514 --jump REDIRECT --to-ports 5142

(Taken from here)

Greetings - Phil

1 Like
11

@derPhlipsi, @alias454
thanks for all your replies, i think i keep my “bastellösung”, because i dont think that the ip of our firewall will ever be changed… its an acceptable solution just for displaying the domain name from our firewall on dashboards

12

Hi Kistov,

Was there anything special you had to do to get Sophos to send the logs, I am having issues, I can get Sophos to send on 12514 but Graylog never sees it but messages are recorded and i cant see anything in the query. If i just change the syslog ip in Sophos i get all the messages as normal on a windows log server …

Any suggestions would be appreciated.

Thanks

13

I had same trouble. I fixed. :medal_military:

14

@kistov
I saw your post about udp redirect with iptabes. It would be great if I could do this for our setup. All our stuff is network gear and some of the devices can only use udp/514. I want to send Aruba wireless to udp/5008 and everyone else to udp/5000.

I have this…

iptables -t nat -A PREROUTING -p udp --dport 514 --source 10.30.5.0/24 -j REDIRECT --to-port 5008
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-ports 5000

All my Aruba devices are on 10.30.5.0/24, so this looks like it would work great.
But two problems:

  1. The command
    iptables -t nat -v -L -n --line-number
    …shows no hits on the source-specified NAT line 1.
  2. The new Graylog input filter on udp/5008 shows no messages coming in (probably because the NAT is not working properly yet).

How did you get your setup to work? Are there any additional tweaks you had to do?

Thanks!