Hello guys,
in some network devices (e.g. cisco) you can’t define a other destination logging port than 514, but you can map it to another port to use seperate input’s.
E.g. if you want to listen to port 514 and redirect messages from Host A to port 12212 and messages from Host B to port 12213 you can use the map directive:
Variant 1:
In this variante, nginx will not redirect ip’s which are not 192.168.30.10 or 192.168.30.55 to a defined server block which also listens on 514. See Variante 2 to solve this issue
map $remote_addr $port {
# Redirect messages from 192.168.30.10 from port 514 to port 12212
192.168.30.10 12212;
# Redirect messages from 192.168.30.55 from port 514 to port 12213
192.168.30.55 12213;
# Define source port to listen to
default 514;
}
Variant 2:
In this example all ip’s which are in the following map {} block will be redirected to the defined backend next to the ip. If the source ip is not listed in the map {} block, it will be routed to the default graylog514 backend.
Example is for UDP:
map $remote_addr $newbackend {
# redirect incoming packets with source ip = 192.168.17.14 and port = 514 to a backend with port 51461
192.168.17.14 graylog_port_51461;
192.168.18.11 graylog_port_51462;
192.168.3.13 graylog_port_51463;
192.168.1.15 graylog_port_51422;
192.168.1.140 graylog_port_51430;
default graylog514;
}
server {
listen 514 udp;
proxy_responses 0;
proxy_bind $remote_addr transparent;
proxy_pass $newbackend;
}
upstream graylog514{
server graylog1.example.com:514;
server graylog2.example.com:514;
}
upstream graylog_port_51461 {
server graylog1.example.com:51461;
server graylog2.example.com:51461;
}
server {
# TCP
listen 51461;
proxy_pass graylog_port_51461;
}
server {
# UDP
listen 51461 udp;
proxy_responses 0;
proxy_bind $remote_addr transparent;
proxy_pass graylog_port_51461;
}
To prevent nginx to override the original source ip, you can define:
proxy_bind $remote_addr transparent;
Which should keep the original source ip
As you can see I also use the option proxy_responses 0;
Otherwise nginx would wait for responses from udp packet which will not be received and nginx will keep those connections open and the number of open connections will increase for every udp packet incoming.
Hope you can use some of those examples in your setup.
Best regards