Firewalls -> nginx (udp) -> 4 x logstash losing device IP

Elastic Stack Logstash
1

I'm using Nginx configured as a load balancer to distribute firewall syslogs amongst my cluster's 4 logstash instances.

The problem I have is that logstash sees the IP of the load balancer rather than the original device.
If I configure proxy_bind transparent, logstash ignores the messages altogether. It would seem the logstash still sees the load balancer IP even on spoofed packets. I've included example configs and corresponding tcpdump output from one of the nodes below. In both cases, the logstash filter is the same. The IP of the source is 10.0.2.1 and the load balancer is 10.0.8.30

Logstash filter

input {
  udp {
    port => "5514"
  }
  tcp {
    port => "5514"
  }
}

filter {
  if  ("10.0.8.30" in [host]) or ("10.0.2.1" in [host]){
    mutate{
      replace=>{type=>"cisco-asa"}
    }
  }
}

This one works, but host IP is incorrect (load balancer):

[nginx config]
    user root;
    #stream {
        upstream syslog {
            least_conn;
            server 10.0.8.31:5514;
            server 10.0.8.32:5514;
            server 10.0.8.33:5514;
        }
        server {
            listen 5514 udp;
            proxy_buffer_size 128k;
            proxy_pass syslog;
    #        proxy_bind $remote_addr:5514 transparent;
        }
    }

[tcpdump output]
    10:47:33.420909 IP (tos 0x0, ttl 64, id 17970, offset 0, flags [DF], proto UDP (17), length 132)
        10.0.8.30.41311 > XXX-XXX-DKR01.local.5514: [udp sum ok] UDP, length 104
    E...F2@.@...
    ...
    ...._...p..<166>%ASA-6-305011: Built dynamic TCP translation from any:10.0.0.26/53647 to outside:xxx.xx.xx.x/53647

This one passes the right IP address but logstash fails to see the message:

[nginx config]
    user root;
    #stream {
        upstream syslog {
            least_conn;
            server 10.0.8.31:5514;
            server 10.0.8.32:5514;
            server 10.0.8.33:5514;
        }
        server {
            listen 5514 udp;
            proxy_buffer_size 128k;
            proxy_pass syslog;
            proxy_bind $remote_addr:5514 transparent;
        }
    }

[tcpdump output]
    10:49:02.596593 IP (tos 0x0, ttl 64, id 59506, offset 0, flags [DF], proto UDP (17), length 152)
        10.0.2.1.5514 > XXX-XXX-DKR01.local.5514: [udp sum ok] UDP, length 124
    E....r@.@.3.
    ...
    ...........<166>%ASA-6-305012: Teardown dynamic UDP translation from any:10.0.8.10/50409 to outside:xxx.xx.xx.x/50409 duration 0:00:00

I think either I'm missing some proxy_bind parameter, or some logstash config, but I'm stumped...

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.