Preserve source IP address | Log collection solutions

#1 Olga35000 6 years ago

I'm trying to do a syslog udp to tcp converter using this method from the user's manual:

<Input in>
    Module im_tcp
    Host 0.0.0.0
    Port 2345
</Input>

<Output out>
    Module      om_tcp
    Host        mysyslog.domain.local
    Port        514
</Output>

~~<Processor buffer>
Module pm_buffer
WarnLimit 800
MaxSize 1000
Type Mem
Exec if buffer_size() >= 80k drop();
</Processor>

<Route 1>
Path in => buffer => out
</Route>

This is working correctly but all the events recieved by mysyslog.domain.local server are coming from the same source (the IP of the NXLOG server). Is there a way to preserve the source IP?

Thanks in advance

Regards,

Olga

Permalink

#2 b0ti Nxlog ✓ 6 years ago

#1 Olga35000

Hi I'm trying to do a syslog udp to tcp converter using this method from the user's manual: <Input in> Module im_tcp Host 0.0.0.0 Port 2345 </Input> <Output out> Module om_tcp Host mysyslog.domain.local Port 514 </Output> ~~<Processor buffer> Module pm_buffer WarnLimit 800 MaxSize 1000 Type Mem Exec if buffer_size() >= 80k drop(); </Processor> <Route 1> Path in => buffer => out </Route> This is working correctly but all the events recieved by mysyslog.domain.local server are coming from the same source (the IP of the NXLOG server). Is there a way to preserve the source IP? Thanks in advance Regards, Olga

It's not possible to spoof the IP address of a TCP packet. This is only possible with udp and the NXLog Enterprise Edition has a special module (om_udpspoof) that can do this.