-
Title
Source Host/IP Not Showing Correctly -
Description
Logs sent from host do not retain their source IP address and/or hostname after being received by a SIEM from Syslog-ng. -
Cause
CAUSE1: Spoofing the sourceip and ensuring keep-hostname() have not been configured to properly ensure that both are sent correctly.
CAUSE2: Load balancer such as an F5 has already "overwritten" IP Address with its own address
-
Resolution
RESOLUTION 1:
Start by ensuring that spoofing the sourceip has been configured correctly.
NOTE: spoofing the sourceip requires the use of the UDP protocol and cannot be used with the TCP protocol.
Spoofing the Source IP:
For Syslog-ng PE:
1.) Start by editing the Syslog-ng configuration file (syslog-ng.conf), or sub-configuration file where the configuration for this logpath is set, using any text editor.
2.) Locate the destination statement where the logs are being sent and modify it adding spoof-source(yes) to the destination statement ensuring that the UDP protocol is used. An example destination statement is below:
destination d_example_destination {
network("10.10.10.10"
port(10000)
transport("udp")
spoof-source(yes)
);
};
3.) Save the modified configuration file.4.) Reload the Syslog-ng configuration by using the following command:
/opt/syslog-ng/sbin/syslog-ng-ctl reload5.) The ${SOURCEIP} should now contain the correct IP address of the host.
For Syslog-ng Store Box (SSB):
1.) Log into the WebUI of the Syslog-ng Store Box (SSB).
2.) Navigate to Log > Destinations.
3.) Enable spoofing of the sourceip by checking "UDP" under the "Transport" option in the created destination and then by checking "Spoof source address:". See the following screenshot for an example:
4.) Commit the changes on the Syslog-ng Store Box (SSB).
5.) The ${SOURCEIP} should now contain the correct IP address of the host.
Keeping the Hostname:
Next, to ensure the hostname is kept correctly, please make the following changes:
For Syslog-ng PE:
1.) Start by editing the main Syslog-ng configuration file (syslog-ng.conf) where the global options are listed using any text editor.
2.) Under the global options create an entry for keep-hostname(yes); which should look similar to the following:
options {stats_freq(0);keep-hostname(yes);use-dns(no);create-dirs(yes);};
NOTE: use-dns() needs to be set to "no" otherwise hosts with an IP address will have their IP Address changed to the corresponding DNS entry. See the above example for including the use-dns(no) option.
3.) Save the modified configuration file.
4.) Reload the Syslog-ng configuration by using the following command:
/opt/syslog-ng/sbin/syslog-ng-ctl reload5.) The hostname(s) of the original log source should now be kept and passed correctly.
For Syslog-ng Store Box (SSB):
1.) Log into the WebUI of the Syslog-ng Store Box (SSB).
2.) Navigate to Log > Sources.
3.) Under the option "Hostname and time-stamp related settings:" check the box for "Trusted". See the following screenshot for an example:
4.) Commit the changes on the Syslog-ng Store Box
5.) The hostname will now be kept correctly. No additional options are needed for Destinations as the Syslog-ng Store Box (SSB) by default maintains the original hostname of the log sender as long as it is configured in the sources as configured in the previous steps.
RESOLUTION 2:
For topology that looks like this: Windows hosts ======> F5 LB =======> syslog-ng relay ========> SIEM then the include ${SOURCEIP} in the Agent message template will not work, as it will always be 127.0.0.1 or localhost, as the messages were generated on the local machine. If the F5 LBs are in between the Windows hosts and the syslog-ng relays, then they mask the original IP address of the sending Windows host. This means that there is no point in including ${SOURCEIP} when forwarding the logs on the relay to QRadar, as it will only contain the F5 LB node's IP address. The only option is to reconfigure the F5 LBs so that they keep the load-balanced traffic's original source IP addresses.The problem is that the IP address of the Windows host is not known by the Agent, so that information is not yet available.
On the other hand, on the relay, the Windows host's IP address information is not available any longer, as the LB has already "overwritten" it with its own address.So the only place where that information is still there is the load-balancer.Please contact your network team to help configure the load-balancers as configuring load balancer is outside the scope of the Technical Support team.
-
Additional Information
The sourceip is stored in the macro ${SOURCEIP} which can be used for filters, rewrites, templates, and more. The hostname is stored in the macro ${HOST} which can be used for filters, rewrites, templates, and more.