Wrong gl2_remote_ip

cmiscloni · September 18, 2017, 1:14pm

Hi all,

I’ve got sometimes some wrong gl2_remote_ip in my logs.
Is there any DNS caching in place to retrieve the information ?
If yes, how I can fix this ?

Thanks

jochen · September 18, 2017, 1:40pm

What does “wrong” mean exactly?

How are you sending logs to Graylog?
What’s the configuration of the clients sending messages to Graylog?
What’s the configuration of the Graylog input(s)?
What do you expect the gl2_remote_ip field to contain and what’s the actual content?

cmiscloni · September 18, 2017, 2:26pm

I use nxlog to send the logs.
Graylog input is

This happen on few clients, Windows 10 Pro 1607

Nxlog conf:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module      xm_gelf
</Extension>

<Input in>
    Module      im_msvistalog
	ReadFromLast TRUE
	SavePos      TRUE
	Query <QueryList>\
				<Query Id="0">\
					<Select Path="Microsoft-Windows-WLAN-AutoConfig/Operational">*[System[Provider[@Name="Microsoft-Windows-WLAN-AutoConfig"] and (EventID=11001)]]</Select>\
	</Query>\
	</QueryList>
		
</Input>


<Output out>
    Module      om_udp
    Host        graylog.XXXXXXX
    Port        12201
	OutputType GELF
</Output>

<Route 1>
    Path        in => out
</Route>

The IP is an internal IP instead to be a VPN IP. Like if the function used a cached information.
Sometimes it’s true but sometimes not.

jochen · September 18, 2017, 3:08pm

The gl2_remote_ip field contains the IP address of the message sender connected to the network socket as provided by the operating system. Graylog doesn’t cache this information. The operating system might cache it, but it’s rather unlikely.

Are you sending messages from NXLOG to Graylog through a VPN?
What’s the configuration of that VPN?

Relevant code snippets:

github.com

Graylog2/graylog2-server/blob/2.3.1/graylog2-server/src/main/java/org/graylog2/plugin/inputs/transports/NettyTransport.java#L344


      
                  log.error(
                          "Invalid message type received from transport pipeline. Should be ChannelBuffer but was {}. Discarding message.",
                          msg.getClass());
                  return;
          
              }
              final ChannelBuffer buffer = (ChannelBuffer) msg;
              final byte[] payload = new byte[buffer.readableBytes()];
              buffer.toByteBuffer().get(payload, buffer.readerIndex(), buffer.readableBytes());
          
              final RawMessage raw = new RawMessage(payload, (InetSocketAddress) e.getRemoteAddress());
              input.processRawMessage(raw);
          }
          
          @Override
          public void exceptionCaught(ChannelHandlerContext ctx, ExceptionEvent e) throws Exception {
              log.debug("Could not handle message, closing connection: {}", e);
          
              if (ctx.getChannel() != null && !(ctx.getChannel() instanceof DatagramChannel)) {
                  ctx.getChannel().close();
              }

github.com

Graylog2/graylog2-server/blob/2.3.1/graylog2-server/src/main/java/org/graylog2/shared/buffers/processors/DecodingProcessor.java#L226-L227


      
          final String addrString = InetAddresses.toAddrString(remoteAddress.getAddress());
          message.addField("gl2_remote_ip", addrString);

cmiscloni · September 18, 2017, 3:15pm

Yes through OpenVPN.

ip-win32 dynamic
client
dev tun
proto tcp
remote xxxxxx 443
tls-remote "xxxx"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
ca xxxxx.com.ca.crt
cert xxxx.com.user.crt
key xxxxx.com.user.key
auth-user-pass
cipher AES-128-CBC
auth SHA1
comp-lzo 
route-delay 4
verb 3
reneg-sec 0

jochen · September 18, 2017, 3:47pm

And which address would you expect the gl2_remote_ip field to contain?
Remember that the whole purpose of using a VPN is being able to access “internal” hosts in a secure way.

cmiscloni · September 18, 2017, 5:05pm

The IP of the VPN Pool.
Most of clients have the good one with the same configuration and the clients which have wrong IP have Internal IP gave by our Internal DNS so it’s impossible to have it on VPN link.
It’s for this I spoke about possible DNS caches.

cmiscloni · September 18, 2017, 6:50pm

It’s seems that computer which doesn’t restart after an internal connection keep internal IP.
The OpenVPN client doesn’t update IP but VPN connection works.
Any ideas or how can I do to retrieve the real IP ?

Thanks

system · October 2, 2017, 6:51pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Gl2_remote_ip issue with docker Graylog Central (peer support) pipeline-rules	5	570	November 4, 2021
NXlog external port forward through firewall Graylog Central (peer support)	10	413	November 2, 2022
Problem sending logs to Graylog Inputs from external source Graylog Central (peer support)	7	865	February 19, 2020
Syslog device source IP Address Graylog Central (peer support)	8	2283	May 16, 2022
Can I get source IP from messaged logged via GELF UDP? Graylog Central (peer support) pipeline-rules , debuggingpl	12	1833	May 20, 2021

Wrong gl2_remote_ip

Related Topics