Explain Usage of spoof_source in syslog-ng_ip.conf and log actions
freedombirdone opened this issue · 2 comments
What exactly does this configuration do? What do I need to put for XX.XX.XX.XX?
destination d_loghost {udp("XX.XX.XX.XX"port(514)spoof_source(yes));};
Does it matter what order the log actions appear in the config?
How do these log actions work?
log { source(s_remote); destination(d_loghost); flags(catchall); };
log { source(s_remote); destination(d_separatedbyhosts); flags(fallback); };
I also noticed this filter is never used. Is this intended?
filter f_separatedbyhosts {
host("^$");
};
This is used when you want to relay syslog data to a 3rd party without adding new syslog headers so the log format is consistent.
The order does matter, it's a data pipeline so stuff that isn't caught earlier on in the filter falls to the next filter.
I'm not sure on the final question again this is a template example.
I might have been using that filter at some point and abandoned it once it wasn't needed anymore.
Ok thanks. So I assume the XX.XX.XX.XX is the remote third party ip address in this line:
destination d_loghost {udp("XX.XX.XX.XX"port(514)spoof_source(yes));};
Also, since you say the order does matter would the catchall need to go at the bottom of the config because wouldn't everything be caught with that rule?
Example:
log { source(s_remote); destination(d_loghost); flags(catchall); };
log { source(s_remote); filter(f_palo_alto); destination(d_palo_alto); flags(final); };
log { source(s_remote); filter(f_trip_wire); destination(d_trip_wire); flags(final); };
log { source(s_remote); filter(f_juniper_fw); destination(d_juniper_fw); flags(final); };
...
log { source(s_remote); destination(d_separatedbyhosts); flags(fallback); };
What are the differences between the different flags you used? fallback, final, catchall