SYSLOG over NAT wrong source in eventconsole

CMK version: 2.0.0p25 (CEE)
OS version: Ubuntu 20.04.5 LTS

Hey,

I don’t know I guess it’s not realy a cmk problem but maybe someone can help me neverless.

I have a source host in a subnet witch is sending syslog messages to our cmk-server. The cmk-server is behind a firewall and we use nat to translate the dest-adress to the local cmk-server IP.

cmk-server —> firewall —> host
IP1 ---------------IP2—IP3-------IP4

So the syslog trap goes to the IP3 address and then nat translates the destination to IP1.

In the eventconsole the source that is shown for the trap is IP2 - the gateway for the cmk-server.
Could it be that the syslog package itself is wrong?

here I see that the src of the package is “_gateway” - that is IP2. That’s also the IP that is shown in the eventconsole.

thx

Josef

IP2 is where your cmk server receives the trap from after NAT on the Firewall. So cmk-server is working fine.

If you don’t like that, you could rewrite them back to the IP4 address with Event Console rules (Setup → Events → Event Console rule packs).

Hey,

the problem is, that the syslog message contains no information witch of my 50 hosts has sent that trap, so rewrite just works if I can identify the real host.

Hey,

then either NAT every host to a different virtual ip, or don’t NAT at all :wink:

Maybe you can config the trap sender to include hostname/ip (very unlikely), but then again changing syslog content is not best practice… :disappointed:

Could it be a solution to place a syslog-collector in my subnet and connect that VM to the CMK-Server.
That VM could forward the collected messages to CMK or CMK can collect messages from there.

Looks like Checkmk has no syslog-collector. I belive a distributed monitoring site is the way to go.

The syslog-collector would see the “real” IP of the Trap Sender, but if it forward the syslog messages to your cmk-server the real IP would be lost again…

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.