How do i get rsyslog to mirror traffic unmodified (including origin IP) to another port?
I have many devices sending data into port 514 but i need two different applications on the server to receive that data.
I tried adding the following to the bottom of /etc/rsyslog.conf
*.* @@127.0.0.1:1514
# also tried
*.* @127.0.0.1:1514
The application listening on 1514 get's all the data but the source address is always 127.0.0.1. If i send logs directly to port 1514 the application listening at 1514 see's the correct source address but now rsyslog doesn't see the data since it's listening on port 514.
How do i get rsyslog to mirror traffic unmodified (including origin IP) to another port?
For whatever reason the following iptables rules as an alternative to the above are not redirecting traffic on Ubuntu server 18.04LTS to resolve the problem so i was hoping there was a way to tweak my /etc/rsyslog.conf to make sure 1514 saw the original source instead of 127.0.0.1.
Example alternative iptables rule that isn't mirroring traffic (or at least graylog can't see it).
iptables -t mangle -A PREROUTING -p tcp --dport 514 -j TEE --gateway 127.0.0.2
iptables -t nat -A PREROUTING -d 127.0.0.2 -p tcp --dport 514 -j DNAT --to 127.0.0.1:1514
iptables -t mangle -A PREROUTING -p udp --dport 514 -j TEE --gateway 127.0.0.2
iptables -t nat -A PREROUTING -d 127.0.0.2 -p udp --dport 514 -j DNAT --to 127.0.0.1:1514
Note that my ufw rules are 22 ALLOW Anywhere and 514 ALLOW Anywhere
0 Answers