Welcome! Log In Create A New Profile

Advanced

Rewrite

Posted by vegetax 
vegetax
Rewrite
January 10, 2017 09:50PM
Hi need some help I am load balancing my syslog traffic from my WAF device
to
ngix server below and the servers in the pool are servers running rsyslog
currently the issue is when the logs hit the nginx server it re-writes the
source host name for example below in logs you see "nginx_vm" but you should
be "WAF01".
Does any one have any suggestions to have this stop happening



# Nginx VM "nginx_vm"

stream {
upstream splunk_backend {
server 192.168.1.31:514;
server 192.168.1.32:514;
}

server {
listen 192.168.2.2:514;
listen 514 udp;
proxy_connect_timeout 1s;
proxy_timeout 10m;
proxy_pass splunk_backend;
proxy_buffer_size 64k;
proxy_next_upstream_timeout 1;
error_log /var/log/nginx/splunk.log info;

}
}


# MY IMPERVA WAF device "WAF01"

Jan 5 13:54:17 nginx_vm CEF: 0|Imperva
Inc.|SecureSphere|11.0.0.3_0|Profile|unauthorized-http-req-content-t|Low|act=alert
dst=10.10.240.35 dpt=80 duser=${Alert.username} src=41.104.58.1 spt=20872
proto=TCP rt=05 January 2017 1
8:54:17 cs1=Web Profile Policy cs1Label=Policy

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271913,271913#msg-271913

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: Rewrite
January 11, 2017 02:20PM
Hello!

On Tue, Jan 10, 2017 at 03:42:24PM -0500, vegetax wrote:

> Hi need some help I am load balancing my syslog traffic from my WAF device
> to
> ngix server below and the servers in the pool are servers running rsyslog
> currently the issue is when the logs hit the nginx server it re-writes the
> source host name for example below in logs you see "nginx_vm" but you should
> be "WAF01".
> Does any one have any suggestions to have this stop happening

It looks like your rsyslog is configured to log name of the system
it got the message from instead of the hostname from the syslog
message. Check your rsyslog configuration.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login