[rsyslog-notify] Forum Thread: omudspoof and ASA - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Tue Feb 11 23:03:27 CET 2014 

User: zangfro 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24211#p24211

Message: 
----------
I'm having a minor (i think) issue:

The current setup I am working with is, we have all of our networking
devices, including Cisco ASAs pointing to a local rSyslog Server, that
local rSyslog server forwards all logs to a remote rSyslog server to be
stored or forwarded.

We utilize to omudpspoof module to retain the device's real IP after the
forwarding process from local rsyslog to remote rsyslog.

The issue I was running into was when the ASA would forward a syslog
message to local rSyslog and local rSyslog would send that log to the
remote rSyslog server, the ASA would block those messages 

since the source-ip was that of the ASA interface itself, due to
omudpspoof. Every other device would obviously spoof and forward fine to
the remote rSyslog Server.

So to resolve or try to resolve that issue, i created the below template
and filter, so when rsyslog receives a syslog message from the firewall
(192.127.15.14), it changes the source from (192.127.15.14) to
(192.127.15.241) so the firewall will forwarded it on and not think its own
interface is being spoofed, which is the Gateway for the rsyslog server:


template(name="fwSpoofSrcIP" type="string" string="192.127.15.241")

if $fromhost-ip == '192.127.15.14' then
action(type="omudpspoof" target="192.117.3.46"
sourcetemplate="fwSpoofSrcIP")
else
action(type="omudpspoof" target="192.117.3.46")

192.127.15.14 = firewall int ip
192.117.3.46 = remote rsyslog

With that configuration I am receiving all forwarded rsyslogs, including
ASA, but then the below message gets logged, if i comment out everything
out and just leave the catch all spoof, action(type="omudpspoof"
target="192.117.3.46"), the below message doesnt get logged.

2/11/2014 1:16:26 PM	ABC-CORE1-FW	Notice	%ASA-2-106016: Deny IP spoof from
(127.0.0.1) to 192.117.3.46 on interface MGMT_NET <- (192.127.15.14)

i hope this makes sense

thank you

More information about the rsyslog-notify mailing list