Graylog with NGINX udp proxy, keep source ip

jimmi · November 5, 2020, 8:58am

Hallo.

I stumbled across Graylog, and wanted to give it a try.

I setup the server, with a NGINX stream proxy in front of it, everything is working perfect. But all my syslog i receive gets the NGINX-servers ip as the source.

How do i keep the source adress from my (example) ASA firewall instead. I cant seem to fingure it out. My NGINX i very simple as follows:

stream {
server {
listen 514 udp:

	proxy_pass 10.10.10.20:10514;
	}

}

shoothub · November 5, 2020, 2:30pm

If hostname is directly in Syslog message, you can extract it and replace source field with it using pipeline rule. If there is no hostname in syslog, graylog can use address sending logs. Please post your example message, and how do you parse it?

Topic		Replies	Views
Graylog + Nginx Load Balanced Syslog - Source is the Load Balancer Graylog Central (peer support)	2	3989	April 26, 2017
Forwarding syslogs from syslog-ng server to Graylog Graylog Central (peer support) basic-configuration	11	5292	June 17, 2022
Multiple servers forwarding to Graylog Graylog Central (peer support)	5	2451	December 14, 2017
I have some questions about default field 'source' Graylog Central (peer support) pipeline-rules	5	4505	April 24, 2017
Syslog input without source ip Graylog Central (peer support)	4	5777	February 2, 2018

Graylog with NGINX udp proxy, keep source ip

Related topics