-
Title
How to change hostname for ip address when DNS is unavailable. -
Description
In a situation where
- A sandboxed Windows client sends logs via a data diode to a syslog-ng server
Windows Client >> DATA Diode >> Syslog-ng Server
- There is a requirement for the server to change the client hostname to ip address
- The server cannot access the clients DNS
- The Windows agent does not have the ability to change the hostname to the ip address before sending the logs
Normal rewrite rules cannot be used since the Data Diode will only allow traffic flow in one direction, that is from the Windows Client to the Syslog-ng server.
-
Cause
By Design -
Resolution
Resolution 1. - Relay
Add a relay between the Windows Server and the Data Diode.
Windows Client >> Syslog-ng Relay >> DATA Diode >> Syslog-ng Server
Add a rewrite rule which will change the hostname to ip address before sending the logs through the Data Diode.
log {
source(s_WindowsClient);
rewrite {set("${SOURCEIP}" value("HOST"));};
destination {file("/var/log/log.file");};
};
This method will change the hostname field for all Windows Clients without having to do any further maintenance.
For full details on Rewrite rules see the section “Modifying messages using rewrite rules” in the Admin Guide
.
Resolution 2. - Conditional Rewrite
In the syslog-ng server config add a separate conditional rewrite rule for every Windows client that is being processed.
log {
source(s_ WindowsClient);
rewrite {set("10.10.11.110", value("HOST") condition(host("windows_client1")));};
rewrite {set("10.10.11.111", value("HOST") condition(host("windows_client2")));};
rewrite {set("10.10.11.113", value("HOST") condition(host("windows_client3")));};
rewrite {set("10.10.11.114", value("HOST") condition(host("windows_client4")));};
rewrite {set("10.10.11.115", value("HOST") condition(host("windows_client5")));};
destination {file("/var/log/log.file");};};
This needs to be maintained for data accuracy and updated as new windows clients are added or removed.
For full details on Conditional Rewrites see the “Conditional Rewrites” section in the Admin Guide
.
Resolution 3. Adding Contextual Data
Configure the syslog-ng server to pull ip address / hostname mappings from an external file.
Use an external database to pair hostnames with ip addresses and
log {
source(s_WindowsClient);
parser {
add-contextual-data(selector("${HOST}"),
database("/tmp/ host-ip-pairs.csv"),
default-selector("unknown"));
};
destination {file("/var/log/log.file");};
};
Here is the format of the csv file
# cat /tmp/sr4929659.csv
oicrk1dc1,HOST,10.10.236.555
oicrk2dc2,HOST,10.10.236.444
This needs to be maintained for data accuracy and updated as new Windows clients are added or removed.
For full details on how to add contextual data see the section “Enriching log messages with external data” in the Admin Guide.