To identify the original IP address of an object that as sent a data packet
In Entuity, you can identify the originating IP v4 source address of syslog message, receveived by the Entuity syslogger process, where relaying has occurred. This address will be used by the Entuity event management system (EMS) when it creates the event.
This is an extra search that allows you to override the issue that is caused when a syslog relay is present (which would hide the original IP address that sent the data packet).
To identify the original IP address of an object that as sent a data packet:
A syslog relayer is required. Linux platforms usually have rsyslog as part of the distribution. The syslog relayer needs to be configured so that it relays to a syslogger process with the appropriate message format that will include the original IP address.
- Navigate to entuity.cfg and enter:
syslogger.relay=true
- Enter the following:
syslogger.excludedSources=127.0.0.1,1,0.0.0
This will specify a list of IP addresses that are not considered original source IPs. This is useful to prevent messages that are sent by the relayer itself from having loopback substituted in as the sender. The defaults are 127.0.0.1 and 0.0.0.0. - Enter the following:
syslogger.sourceMatcher=(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])
This is used to specify a regular expression to search for the original source IP address. The default is \b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b. - The full syslog message will now be included in the event, using an extra attribute that is labelled 'syslogMessage'.
You can set up an EMS rule with Test and Action defined against the syslogMessage attribute.
If you are an Administrator, then you can override this functionality or add your own edit.
Troubleshooting:
If you know your syslog messages are coming through a relayer, but it does not appear that the syslog messages are coming from the original source, then you can try the following:
- Change the regular expression that syslogger is using (see Step 3 above); or
- Add a rule from the Event Administration page, that can extract the source of the event and place it into the event.
Comments
0 comments
Please sign in to leave a comment.