Syslog source address not working?

djmuk · April 26, 2010, 6:10pm

I am trying to log to a remote syslog server over a VPN.

So I set up the remote syslog action & specify a source address of 192.168.42.1 (the LAN IP of the ROS board) which is part of the VPN tunneled range (192.168.42.0/23). However the Syslog entries don’t arrive. using the Packet Sniffer on the ROS I see the syslog entries being sent with the source address of the WAN interface of the ROS not the specified source address…

Log action entry:
add bsd-syslog=no name=tonetmon remote=10.55.12.60:514 src-address=
192.168.42.1 syslog-facility=daemon syslog-severity=auto target=remote

Output of packet sniffer
41 time=6.044 src-mac-address=00:0C:42:5A:18:C5
dst-mac-address=00:22:3F:4A:4A:82 interface=Internet
src-address=80.74.255.110:514 (syslog)
dst-address=10.55.12.60:514 (syslog) protocol=ip ip-protocol=udp size=65
ip-packet-size=65 ip-header-size=20 dscp=0 identification=0
fragment-offset=0 ttl=64

42 time=6.671 src-mac-address=00:0C:42:5A:18:C5
dst-mac-address=00:22:3F:4A:4A:82 interface=Internet
src-address=80.74.255.110:514 (syslog)
dst-address=10.55.12.60:514 (syslog) protocol=ip ip-protocol=udp size=65
ip-packet-size=65 ip-header-size=20 dscp=0 identification=0
fragment-offset=0 ttl=64

Am I doing something wrong or is it broken??

David

Chupaka · April 28, 2010, 10:02pm

no NAT rules?

djmuk · April 28, 2010, 10:14pm

There is only NAT for the internal Clients out to the internet.

Do you mean I should have NAT rules? How do I specify the source address - this is traffic originated internally to the ROS box so it’s source address will vary according to the route it takes out of the box - which is what I am trying to force…

hmm that gives me an idea…
… nope can’t seem to force it using routes - not sure what gateway I should put in…

David

Chupaka · April 28, 2010, 10:16pm

I thought, you syslog trafic is masqueraded

post your NAT rules

djmuk · April 28, 2010, 10:28pm

Nat rules are simple - Nat 192.168.42.0/24 to the internet interface address.
(also nat another subnet 192.168.43.0/24 to the same address)

this traffic is not Nat’d and shouldn’t be… It should be caught by the IPSEC VPN before it gets nat’d, other devices on 192.168.42.0 work correctly & I can access them over the VPN and they send me syslogs…

David

djmuk · April 28, 2010, 10:37pm

OK good call - I needed to exempt the traffic to 10.55.12.0/24 from the NAT rule…

All working OK now!!

Thanks

David