oss-sec mailing list archives
Re: Syslog forwarding with IP spoofing
From: Sean Cassidy <sean () defensestorm com>
Date: Tue, 1 Aug 2017 13:40:45 -0700
On Tue, Aug 1, 2017 at 7:27 AM, Александр Носарев <nosarev-ay () rambler ru> wrote:
Good day! I need to recive syslog messages, filter them and send them forward to the SIEM. Also HOST field is not represented in syslog, so i need to spoof IP of forwarding packets to bind messages recived by SIEM to it's original source IP. If i will try to add some marks to syslog message, I will need to override parsers for each syslog source type, so it seems like abad idea. Is there any open source tool for that task?
I would use syslog-ng for this. It can rewrite syslog messages (including adding/modifying the HOST field) and then do nearly anything with the result. You can have it call a program, put it on an AMQP queue, write it to disk, or whatever, really. https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/chapter-manipulating-messages.html https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/chapter-destinations.html Sean
Current thread:
- Syslog forwarding with IP spoofing Александр Носарев (Aug 01)
- Re: Syslog forwarding with IP spoofing Solar Designer (Aug 01)
- Re: Syslog forwarding with IP spoofing Mikhail Utin (Aug 01)
- Re: Syslog forwarding with IP spoofing Kurt Seifried (Aug 01)
- Re: Syslog forwarding with IP spoofing Mikhail Utin (Aug 01)
- Re: Syslog forwarding with IP spoofing Sean Cassidy (Aug 01)
- Re: Syslog forwarding with IP spoofing Solar Designer (Aug 01)