my graylog is listening to a sophos firewall with a syslog udp raw input on port 514. i cant see the domain name of the firewall in the dashboard. the field “source” just shows me the ip. i guess the field “gl2_remote_ip” should display the ip, and it does… is it possible to extract the domain name in the field “source”?
i just tried to extract this information with grok pattern, but everytime i just to the ip of the firewall… will the source field be overwritten, if i create a new pipline? it would be nice, when graylog gets this info automatically out of the dns, maybe with nslookup or something
you can enable rdns lookups on the input - but that will do a DNS Lookup vor every message. That might have impact on the performance.
With Pipelines or extractors you are able to overwrite every available field of the message. You can even delete fields or do some kind of transformation.
the problem is, that i only receive messages from the firewall, when i set the input to raw/plaintext udp and there is no option to force rdns. if i change the input to syslog udp, i’ll only get msgs from our router…
i just created an extractor as additional field in the dashboard for the field “source” named “dns” which replaces the ip address with the dns name. thats ok for the information in the dashboard, but its hard coded and if the ip of the firewall changes somedays, the extractor will be useless… is there no other way to make this? im new here and dont know the syntax for pipelines, rules and extractors that good
why not create multiple inputs for different sources of data?
because i got the error message “address already in use” in the logs and the input failed to start. im forced to use udp 514!
with this input i can receive messages from sophos firewall and lancom router, but i cant force rdns:
Syslog (UDP) (RAW) Raw/Plaintext UDP 1 RUNNING
and with this input i can only receive messages from lancom router:
test Syslog UDP 1 FAILED
allow_override_date: true bind_address: 0.0.0.0 expand_structured_data: false force_rdns: true override_source: <empty> port: 514 recv_buffer_size: 262144 store_full_message: false
Have you tried setting a port like 10514 for a new input?
its not possible to change the port on lancom router for outgoing syslog messanges, i’m forced to work with port 514 on one input to receive messages from both devices
how about using iptables to reroute the different source ips to different ports? This is what I have done.
Something of the lines
/sbin/iptables --table nat --append PREROUTING --protocol udp --source xxx.xxx.xxx.xxx --dport 514 --jump REDIRECT --to-ports 5141 /sbin/iptables --table nat --append PREROUTING --protocol udp --source yyy.yyy.yyy.yyy --dport 514 --jump REDIRECT --to-ports 5142
(Taken from here)
Greetings - Phil
thanks for all your replies, i think i keep my “bastellösung”, because i dont think that the ip of our firewall will ever be changed… its an acceptable solution just for displaying the domain name from our firewall on dashboards
Was there anything special you had to do to get Sophos to send the logs, I am having issues, I can get Sophos to send on 12514 but Graylog never sees it but messages are recorded and i cant see anything in the query. If i just change the syslog ip in Sophos i get all the messages as normal on a windows log server …
Any suggestions would be appreciated.
I saw your post about udp redirect with iptabes. It would be great if I could do this for our setup. All our stuff is network gear and some of the devices can only use udp/514. I want to send Aruba wireless to udp/5008 and everyone else to udp/5000.
I have this…
iptables -t nat -A PREROUTING -p udp --dport 514 --source 10.30.5.0/24 -j REDIRECT --to-port 5008 iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-ports 5000
All my Aruba devices are on 10.30.5.0/24, so this looks like it would work great.
But two problems:
- The command
iptables -t nat -v -L -n --line-number
…shows no hits on the source-specified NAT line 1.
- The new Graylog input filter on udp/5008 shows no messages coming in (probably because the NAT is not working properly yet).
How did you get your setup to work? Are there any additional tweaks you had to do?