To used to working with subnets but this looks like the simplest solution!
No idea how i could have missed that.
Now I see we need to fix a few FQDN's (but that's okay) and it can work
as good as subnets
Thnx!
//Ton
On 4/1/21 5:21 PM, David Lang via rsyslog wrote:
what you should be doing is look at the hostname in the message rather
than the IP that the message appears to come from. As you have seen
the IP is affected by relays, and it's also affected by NAT.
omudpspoof can help, but it's a very substantial performance hit
David Lang
On Thu, 1 Apr 2021, Mariusz Kruk via rsyslog wrote:
Date: Thu, 1 Apr 2021 16:10:07 +0200
From: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: Mariusz Kruk <m...@safecomp.com>
Subject: Re: [rsyslog] forward to 2nd server
It's a tricky question and the answer is not that straightforward.
There is an option - using module called omudpspoof which sends out
UDP datagrams with spoofed source IP. However this requires rsyslog
running with root user (which is not the best idea) since it needs to
manipulate raw sockets.
But.
This works only for UDP. For TCP the connection will always have the
real source address since it obviously needs to do two-way traffic.
And TCP is much more reliable in terms of delivering messages than UDP.
So it probably would be best for you to "pack" the event on the
source server (for example - into a json structure) along with the
source IP and send it to the destination server to "unpack".
Unless of course your destination solution is some another system
which can't do this "unpacking".
On 01.04.2021 15:29, rsyslog--- via rsyslog wrote:
Hi,
I configured all my servers with to send all to a central server
with "*.* @192.168.0.10:2514" which works great.
For some test and proof-of-concepts, i'd like to have the syslog
messages also to a second logserver. However, adding "*.*
@192.168.0.22:514" on the central server 192.168.0.10 makes all
messages appear to originate from there instead of the original
source ip.
Because we don't wanna go edit all servers, nor do we like to have
all messages to go twice over the wan, *IS* there a way to send the
syslog from the first syslog server to the second while preserving
the original source ip ??
Thnx, Ton
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
