Is it possible to reformat the source IP of a relayed message?

(Dan) #1

I wonder if you can help with the following query?

I have a client (Centos 7) server (IP in my office that sends its logs to a Centos 7 Syslog server (IP address The syslog server forwards its logs to a Centos 7 Graylog v1.1.1 server (IP address The three devices can successfully talk to one another and are using default ports and configurations as far as I am aware.

My issue is as follows: the logs displayed on the Graylog server have a source IP address and gl2_remote_ip of my syslog server ( I would like the source IP address (and even the gl2_remote_ip) to be that of the client server (

So far, I have looked at using extractors to pull an IP address out of the message field (shown below) and am currently in the process of writing a drool script.

facility local1
full_message <142>May 31 15:11:57 116: .May 31 14:11:52.321: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host started - CLI initiated
gl2_remote_port 40331
level 6
message 116: .May 31 14:11:52.321: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host started - CLI initiated

However, each time I try to use regex commands (which I tested using the website Graylog gives me an error telling me my regex is faulty. I have read through Graylog documentation and as far as I can tell, the regex it uses should be prett standard, but can anyone tell me what kind it is?

This regex line should work, according to the tester:

So, in conclusion, can anyone help me pulling values from one part of a Graylog message and adding them back into another bit of the message?

I want the end result of a message to look like the following:

facility local1
full_message <142>May 31 15:11:57 116: .May 31 14:11:52.321: %SYS-6-
LOGGINGHOST_STARTSTOP: Logging to host started - CLI initiated
gl2_remote_port 40331
level 6
message 116: .May 31 14:11:52.321: %SYS-6-LOGGINGHOST_STARTSTOP:
Logging to host started - CLI initiated
Thanks a lot.

(Dan) #2

yum install syslog-ng

cat syslog-ng.conf

@include "scl.conf"

# syslog-ng configuration file.
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/

options {
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    chain_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (yes);

source s_sys {

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv)
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };

# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"

# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:

and then

cat conf.d/20-syslog.conf filter f_fiddling { facility(local0); }; log
{ source(s_sys); filter(f_fiddling); destination(fiddling); };
destination fiddling { syslog (“” transport (“udp”) port
(514) spoof_source(yes)); };

(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.