Resolving possible cause for syslog-ng not spoofing log source IP when sending to TIBCO LogLogic LMI
Article ID: KB0077489
Updated On:
| Products | Versions |
|---|---|
| TIBCO LogLogic Log Management Intelligence | all versions |
Description
If you notice that a LogLogic appliance shows all logs received from a syslog-ng server having the same log source IP as the syslog-ng server then the most likely cause is the syslog-ng server configuration script is incorrect therefore it will not spoof the correct log source IP.
Resolution
Ensure the configuration file of the syslog-ng server has the following format for destination:
destination ha_lxs {
tcp( "192.168.30.51" port(514) template( "<$PRI>$R_DATE $SOURCEIP: $MSG\n" ) template_escape(no) );
};
Note the angle brackets around $PRI and the “:” after $SOURCEIP. Without these changes, a LogLogic LMI appliance deem the syslog-ng system as the source.
destination ha_lxs {
tcp( "192.168.30.51" port(514) template( "<$PRI>$R_DATE $SOURCEIP: $MSG\n" ) template_escape(no) );
};
Note the angle brackets around $PRI and the “:” after $SOURCEIP. Without these changes, a LogLogic LMI appliance deem the syslog-ng system as the source.
Issue/Introduction
This article explains why one reason why syslog-ng server does not properly spoof the log source IP when forwarding events to LogLogic LMI
Feedback
Yes
No
Powered by
