Wrong gl2_remote_ip

Hi all,

I’ve got sometimes some wrong gl2_remote_ip in my logs.
Is there any DNS caching in place to retrieve the information ?
If yes, how I can fix this ?


What does “wrong” mean exactly?

How are you sending logs to Graylog?
What’s the configuration of the clients sending messages to Graylog?
What’s the configuration of the Graylog input(s)?
What do you expect the gl2_remote_ip field to contain and what’s the actual content?

I use nxlog to send the logs.
Graylog input is :slight_smile:image

This happen on few clients, Windows 10 Pro 1607

Nxlog conf:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module      xm_gelf

<Input in>
    Module      im_msvistalog
	ReadFromLast TRUE
	SavePos      TRUE
	Query <QueryList>\
				<Query Id="0">\
					<Select Path="Microsoft-Windows-WLAN-AutoConfig/Operational">*[System[Provider[@Name="Microsoft-Windows-WLAN-AutoConfig"] and (EventID=11001)]]</Select>\

<Output out>
    Module      om_udp
    Host        graylog.XXXXXXX
    Port        12201
	OutputType GELF

<Route 1>
    Path        in => out

The IP is an internal IP instead to be a VPN IP. Like if the function used a cached information.
Sometimes it’s true but sometimes not.

The gl2_remote_ip field contains the IP address of the message sender connected to the network socket as provided by the operating system. Graylog doesn’t cache this information. The operating system might cache it, but it’s rather unlikely.

Are you sending messages from NXLOG to Graylog through a VPN?
What’s the configuration of that VPN?

Relevant code snippets:

Yes through OpenVPN.

ip-win32 dynamic
dev tun
proto tcp
remote xxxxxx 443
tls-remote "xxxx"
route remote_host net_gateway
resolv-retry infinite
ca xxxxx.com.ca.crt
cert xxxx.com.user.crt
key xxxxx.com.user.key
cipher AES-128-CBC
auth SHA1
route-delay 4
verb 3
reneg-sec 0

And which address would you expect the gl2_remote_ip field to contain?
Remember that the whole purpose of using a VPN is being able to access “internal” hosts in a secure way.

The IP of the VPN Pool.
Most of clients have the good one with the same configuration and the clients which have wrong IP have Internal IP gave by our Internal DNS so it’s impossible to have it on VPN link.
It’s for this I spoke about possible DNS caches.

It’s seems that computer which doesn’t restart after an internal connection keep internal IP.
The OpenVPN client doesn’t update IP but VPN connection works.
Any ideas or how can I do to retrieve the real IP ?


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.