Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 1 Aug 2017 13:40:45 -0700
From: Sean Cassidy <sean@...ensestorm.com>
To: oss-security@...ts.openwall.com
Subject: Re: Syslog forwarding with IP spoofing

On Tue, Aug 1, 2017 at 7:27 AM, Александр Носарев <nosarev-ay@...bler.ru> wrote:
>
> Good day!
>
>
> I need to recive syslog messages, filter them and send them forward to the SIEM.
>
> Also HOST field is not represented in syslog, so i need to spoof IP of forwarding
> packets to bind messages recived by SIEM to it's original source IP.
>
> If i will try to add some marks to syslog message, I will need to override
> parsers for each syslog source type, so it seems like abad idea.
>
> Is there any open source tool for that task?

I would use syslog-ng for this. It can rewrite syslog messages
(including adding/modifying the HOST field) and then do nearly
anything with the result. You can have it call a program, put it on an
AMQP queue, write it to disk, or whatever, really.

https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/chapter-manipulating-messages.html
https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/chapter-destinations.html

Sean

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ