Retain syslog header log collector

[syedali]

Hi All,

We are in the process of forwarding our logs from NLS to a log collector
Housed in the dmz Network that forwards logs to the SIEM.
We have configured output in the global configuration to forward syslogs from NLS to the log collector.
We see raw log coming in to SIEM with log source as NLS server ip.
Is there way we can retain the syslog header that shows the correct ip of the source that sending the logs to NLS ?

Appreciate your help.

Thanks,
Syed

[cdienger]

What kind of logs are coming in? If they go through a input or filter that fills a host field then the syslog output will automatically use that when sending the outbound message:

https://www.elastic.co/guide/en/logstas ... sourcehost

Otherwise, you can configure the syslog output to use a different field to set the sourcehost setting.

[syedali]

Hi Cdienger,

Thank you for your response. Currently we are forwarding all applications and authentications logs from various application. In NLS we do see the source IP/hostname that's sending the logs to NLS. However when the logs are forwarded to SIEM the source IP for the logs shows the IP of NLS server.

Can you provide an example of output configuration in NLS that helps the side retain the original source IP of the logs that are being forwarded ??

Appreciate your time and support.

Thanks,
Syed

[cdienger]

I should have been a bit clearer - I meant to ask what kind of logstash inputs where the log coming in on?

is "host" a field you see when you view the events in the dashboard? If not, sourcehost needs to be set. The example below will use the client_ip field to format syslog messages.

syslog{
facility => "daemon"
host => "192.168.0.99"
port => "9000"
severity => "debug"
sourcehost => "%{client_ip}"
}

[syedali]

Please find the attached information ( Input config & Event Fields). I do see a host field in the Dashboard .

Events Dashboard.PNG

Input config NLS

Input.PNG

Thanks,
Syed

[cdienger]

Are you sure the receiving device is configured to parse the data correctly? If the host field is available then the syslog output should automatically use this when forwarding the message. The screenshot below shows an example of a NLS(192.168.4.82) forwarding a message that was originally sent by 192.168.0.25. The highlighted part is the actual message that is sent. Your receiving device may not be parsing the message correctly and using the connecting IP address(the NLS address).

[syedali]

What changes do I need to make in order to resolve this issue. Do I have to make any input config changes/ output config changes in NLS ? Or the is it the job of the SIEM to parse the correct log source IP ?

Thanks,
Syed

[cdienger]

First verify the raw message received by the SIEM and that it contains the correct IP. If it does then you'll need to look on the SIEM side to make sure it is parsing properly. If the correct IP is not being sent then we'll need to take a closer look at the NLS side.

The screenshot I posted is from a tcpdump. I ran the tcpdump with:

yum -y install tcpdump
tcpdump -s 0 -i any host 192.168.0.99 -w output.pcap

Obviously replace the IP with your SIEM's IP. Let it run for a few minute to capture traffic before stopping it with CTRL+C. Use wireshark to view the file. If output uses a non default syslog port, then right click a packet sent on that port, select Decode As..., and configure the port to decode as syslog.

[syedali]

Hi cdienger

Following your last suggestion. Here is what the wireshark pcap data looked like. Please advice

Thanks,
Ali

[cdienger]

The first one looks like it is sending the client IP to the SIEM device. That device would need to be configured to parse this out.