Rsyslog and Nagios Logserver

[chartley]

I have rsyslog running on a CentOS 7 machine and it using port TCP port 514. I also have Nagios log server running on the same server using port 514 and 5544. Is there a way that a person could be receiving syslog messages coming in on port 514 and forward the syslog messages to port 515 on the same machine without the IP in the Nagios log server showing up as localhost, 127.0.0.1 or 00:00:00:00 ?

I have edited my syslog.conf file to send the syslog messaged coming in on port 514 to forward it to port 515 on the same machine...…..But the IP of the host that it is coming from is always one of the three I mentioned above. I was just wondering if something could be changed to have it show the correct IP in the Nagios Logserver GUI.

[mcapra]

Is there a way that a person could be receiving syslog messages coming in on port 514 and forward the syslog messages to port 515 on the same machine without the IP in the Nagios log server showing up as localhost, 127.0.0.1 or 00:00:00:00 ?

nginx, HAProxy, and similar solutions can handle this. I would advise being mindful of the default configurations that come with such applications as they often try to bind to port 80 which, for an NLS machine, is in-use by Apache.

Do your syslog messages include a syslog_hostname field?

If not, a more elegant solution would be to add a "special field" in your rsyslog configuration that contains the original machine's IP address or hostname, then parse that out with a Logstash filter rule after it hits Nagios Log Server. As to *how* you would do that, it would depend on the rsyslog configuration set currently in place as well as your Logstash inputs.

I've made it a habit to template all my nxlog/rsyslog/syslog-ng messages as JSON and ingest them using Logstash's regular old JSON codec. It'd be pretty simple at that point to add a "originalAddress" field and have Logstash overwrite the source with that information in a mutate step.

[cdienger]

Thanks for the assist, @mcapra!