Syslog for devices behind a NAT


I have a question regarding getting syslog data from devices behind a NAT and in general how Graylog works. In my current environment, i have some devices behind a NAT. By default any traffic coming out of this environment, shows as coming from one common source IP-address which is the NAT ip. My logging server i.e graylog server is outside of NAT.

Before using Graylog, i was using a diff product. In that product, i was facing this issue as in how to segregate the traffic for these devices behind NAT, because the syslog server was showing only the NAT IP irrespective of whichever device is sending the syslog traffic.

However, in Graylog i am not facing this problem. The graylog server automatically sorts the syslog traffic based on the hostname of the device that’s sending the data instead of ip. How is graylog able to do this ? Why does it not complain about all these devices that are behind my NAT , sending data from the same IP ?

Thank you in advance.

Graylog is using the hostname (see RFC 5424, section 6.4) of the syslog message.

If the hostname inside the syslog message is wrong or missing, Graylog can also only fallback to using the source address of the network packets.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.