Re: PutSyslog IP Address

[Ronnie Dove <ra...@gmail.com>]

I think I figured it out now.  I was getting syslog data from various boxes
(GetSysLog) and using the attributes from a ParseSysLog processor to
publish to a destination using PutSysLog.  However, because the socket
connection comes from our NiFi's IP, the IP address associated with the
PutSysLog would end up being our NiFi's IP address instead of the server we
originally received the syslog from.  Our flow is something like this
GetSysLog => ParseSysLog => PutSysLog (using config properties populated
from attributes.. example SysLog Body = ${syslog.body} etc.).  The analytic
engine was cataloging the IP address of NiFi along with the log event.  We
found a work around for now to make things look correct but I was thinking
how cool it would be to spoof the IP of the sender of the syslog...but
maybe not a possibility anyways.  Everything else is captured and
translated correctly just not the source IP from the socket connection.

On Fri, Apr 29, 2016 at 3:27 PM, Bryan Bende <bb...@gmail.com> wrote:

> Hi Ronnie,
>
> syslog.sender is a NiFi specific attribute that is populated by
> ListenSyslog with the host/ip that created the connection to NiFi, it is
> not specific to syslog itself.
>
> syslog.hostname is the host that produced the actual log message and was
> parsed out from the syslog message, this host may or may not be the same as
> your syslog server.
>
> The JSON examples you posted both look like JSON documents representing all
> of the attributes from a NiFi Flow Flow, but you mentioned that one was
> going directly from a server to an analytic engine.
>
> Could you elaborate a little more on what your NiFi flow is doing?
>
> Thanks,
>
> Bryan
>
>
> On Fri, Apr 29, 2016 at 2:57 PM, Ronnie Dove <ra...@gmail.com> wrote:
>
> > Hello,
> >
> > Do you guys know if its possible to send a syslog message on behalf of
> > another server?  For example we have all our syslog data coming into NiFi
> > and would like to PutSyslog to an analytic engine which accepts syslog
> > data.  However, that analytic engine thinks the IP address that the data
> is
> > coming from is the IP address of NiFi.  We were able to setup through
> NiFi
> > GUI all the other properties to pull the appropriate data using NiFi
> > expression but the IP is the missing piece.  I am guessing the socket
> > connection itself is what the engine is looking at for the IP.  But I
> > wanted to confirm that there was no other way to send an "Sender IP" over
> > customized.  For example:
> >
> > DATA COMING DIRECTLY FROM A SERVER TO ANALYTIC ENGINE (Notice
> > syslog.sender):
> >
> > {
> >    "syslog.sender":"/192.168.1.250",
> >    "RouteText.Group":"",
> >    "syslog.severity":"6",
> >    "syslog.body":"test message",
> >    "syslog.priority":"38",
> >    "syslog.facility":"4",
> >    "mime.type":"text/plain",
> >    "RouteText.Route":"unmatched",
> >    "uuid":"817cea69-bc2e-4f84-8ff7-faaa5bee978e",
> >    "syslog.protocol":"UDP",
> >    "path":"./",
> >    "filename":"938709598588638",
> >    "syslog.timestamp":"Apr 29 14:03:27",
> >    "syslog.valid":"true",
> >    "syslog.port":"514",
> >    "syslog.hostname":"spiceworks"
> > }
> >
> >
> > DATA COMING FROM NIFI ON BEHALF OF ANOTHER SERVER: (Notice the Send IP
> will
> > say the IP of NiFi):
> >
> > {
> >    "syslog.sender":"/192.168.1.17", <--- This is my concern currently...
> >    "syslog.severity":"6",
> >    "syslog.version":"6",
> >    "syslog.body":"test message",
> >    "syslog.priority":"38",
> >    "syslog.facility":"4",
> >    "mime.type":"text/plain",
> >    "uuid":"36918325-5fdf-4bb8-ba3a-0b40f2b76944",
> >    "syslog.protocol":"UDP",
> >    "path":"./",
> >    "filename":"938588391613315",
> >    "syslog.timestamp":"Apr 29 14:03:27",
> >    "syslog.valid":"true",
> >    "syslog.port":"510",
> >    "syslog.hostname":"spiceworks"
> > }
> >
>



-- 
Ronnie Dove
http://www.techtunk.com

Re: PutSyslog IP Address

[Andrew Psaltis <ps...@gmail.com>]

Hi John,The PutSysLog processor has a property on it called "Message
Hostname" you should be able to populate this with the hostname of the
system that you received the message from with GetSysLog. You will have to
introduce a ParseSyslog into the flow between GetSysLog and PutSysLog which
will pull out the incoming hostname and writes it as a property called
"syslog.hostname".

Hope that helps.
Andrew

On Fri, Feb 23, 2018 at 7:49 AM, John Smith <mc...@hotmail.co.uk> wrote:

> Was just wondering how you (or anyone else) managed to solve this problem?
> We're doing something similar in that we're using Nifi to collect all our
> syslogs (using GetSysLog) and processing and forwarding it on to our ESM
> (using PutSysLog). The IP address which shows up in our ESM is the IP
> address of our Nifi box sending the syslog packets which is not ideal to
> say
> the least! My current thought is to write a custom processor but it would
> be
> good if I didn't have to do this!
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
>

Re: PutSyslog IP Address

[Andre <an...@fucs.org>]

John,

In addition to what Andrew said, if by ESM you refer to McAfee ESM, then
you need to be mindful it expects the system to send data in a particular
format and the data source to be configured on what the call a Forwarder.

Cheers



On Fri, Feb 23, 2018 at 11:49 PM, John Smith <mc...@hotmail.co.uk> wrote:

> Was just wondering how you (or anyone else) managed to solve this problem?
> We're doing something similar in that we're using Nifi to collect all our
> syslogs (using GetSysLog) and processing and forwarding it on to our ESM
> (using PutSysLog). The IP address which shows up in our ESM is the IP
> address of our Nifi box sending the syslog packets which is not ideal to
> say
> the least! My current thought is to write a custom processor but it would
> be
> good if I didn't have to do this!
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
>

Re: PutSyslog IP Address

[John Smith <mc...@hotmail.co.uk>]

Was just wondering how you (or anyone else) managed to solve this problem?
We're doing something similar in that we're using Nifi to collect all our
syslogs (using GetSysLog) and processing and forwarding it on to our ESM
(using PutSysLog). The IP address which shows up in our ESM is the IP
address of our Nifi box sending the syslog packets which is not ideal to say
the least! My current thought is to write a custom processor but it would be
good if I didn't have to do this!



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/