This is almost that, except all logs are filled with the hostname and not with the IP in the host field.
Before logs be send to Logstash, they look like to that ( for example, with "systemctl restart sshd' :
Jan 27 16:12:09 client-log1 systemd: stopping OpenSSH server daemon ...
Jan 27 16:12:09 client-log1 systemd: started OpenSSH server Key Generation ...
Jan 27 16:12:09 client-log1 systemd: started OpenSSH server daemon ...
....
the third field give the hostname and not the IP address
Hmmm,
I am not sure then.
If you do a tcpdump -nAv src x.x.x.x
What does the raw log look like?
it's looks like that :
root@rsyslog:~# tcpdump -nAv -i eth1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:24:11.722596 IP (tos 0x0, ttl 64, id 45636, offset 0, flags [DF], proto UDP (17), length 289)
172.16.0.1.43954 > 172.16.0.254.514: SYSLOG, length: 261
Facility authpriv (10), Severity notice (5)
Msg: Jan 27 16:24:11 client-log1 polkitd[895]: Registered Authentication Agent for unix-process:24931:2607368 (system bus name :1.935 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale fr_FR.UTF-8)
E..!.D@.@..h..............A.<85>Jan 27 16:24:11 client-log1 polkitd[895]: Registered Authentication Agent for unix-process:24931:2607368 (system bus name :1.935 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale fr_FR.UTF-8)
16:24:11.725109 IP (tos 0x0, ttl 64, id 45637, offset 0, flags [DF], proto UDP (17), length 105)
172.16.0.1.43954 > 172.16.0.254.514: SYSLOG, length: 77
Facility authpriv (10), Severity info (6)
Msg: Jan 27 16:24:11 client-log1 sshd[24898]: Received signal 15; terminating.
E..i.E@.@./..............U..<86>Jan 27 16:24:11 client-log1 sshd[24898]: Received signal 15; terminating.
16:24:11.725126 IP (tos 0x0, ttl 64, id 45638, offset 0, flags [DF], proto UDP (17), length 102)
172.16.0.1.43954 > 172.16.0.254.514: SYSLOG, length: 74
Facility daemon (3), Severity info (6)
Msg: Jan 27 16:24:11 client-log1 systemd: Stopping OpenSSH server daemon...
E..f.F@.@./!.............R..<30>Jan 27 16:24:11 client-log1 systemd: Stopping OpenSSH server daemon...
16:24:11.727473 IP (tos 0x0, ttl 64, id 45639, offset 0, flags [DF], proto UDP (17), length 107)
172.16.0.1.43954 > 172.16.0.254.514: SYSLOG, length: 79
Facility daemon (3), Severity info (6)
Msg: Jan 27 16:24:11 client-log1 systemd: Started OpenSSH Server Key Generation.
E..k.G@.@./..............W..<30>Jan 27 16:24:11 client-log1 systemd: Started OpenSSH Server Key Generation.
16:24:11.727487 IP (tos 0x0, ttl 64, id 45640, offset 0, flags [DF], proto UDP (17), length 99)
172.16.0.1.43954 > 172.16.0.254.514: SYSLOG, length: 71
Facility daemon (3), Severity info (6)
Msg: Jan 27 16:24:11 client-log1 systemd: Started OpenSSH server daemon.
E..c.H@.@./".............O_
<30>Jan 27 16:24:11 client-log1 systemd: Started OpenSSH server daemon.
16:24:11.727488 IP (tos 0x0, ttl 64, id 45641, offset 0, flags [DF], proto UDP (17), length 102)
172.16.0.1.43954 > 172.16.0.254.514: SYSLOG, length: 74
Facility daemon (3), Severity info (6)
Msg: Jan 27 16:24:11 client-log1 systemd: Starting OpenSSH server daemon...
E..f.I@.@./..............R..<30>Jan 27 16:24:11 client-log1 systemd: Starting OpenSSH server daemon...
16:24:11.732388 IP (tos 0x0, ttl 64, id 45642, offset 0, flags [DF], proto UDP (17), length 268)
172.16.0.1.43954 > 172.16.0.254.514: SYSLOG, length: 240
Facility authpriv (10), Severity notice (5)
Msg: Jan 27 16:24:11 client-log1 polkitd[895]: Unregistered Authentication Agent for unix-process:24931:2607368 (system bus name :1.935, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale fr_FR.UTF-8) (disconnected from bus)
E....J@.@..w................<85>Jan 27 16:24:11 client-log1 polkitd[895]: Unregistered Authentication Agent for unix-process:24931:2607368 (system bus name :1.935, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale fr_FR.UTF-8) (disconnected from bus)
16:24:11.738678 IP (tos 0x0, ttl 64, id 45643, offset 0, flags [DF], proto UDP (17), length 109)
172.16.0.1.43954 > 172.16.0.254.514: SYSLOG, length: 81
Facility authpriv (10), Severity info (6)
Msg: Jan 27 16:24:11 client-log1 sshd[24937]: Server listening on 0.0.0.0 port 22.
E..m.K@.@./..............Y..<86>Jan 27 16:24:11 client-log1 sshd[24937]: Server listening on 0.0.0.0 port 22.
16:24:11.738693 IP (tos 0x0, ttl 64, id 45644, offset 0, flags [DF], proto UDP (17), length 104)
172.16.0.1.43954 > 172.16.0.254.514: SYSLOG, length: 76
Facility authpriv (10), Severity info (6)
Msg: Jan 27 16:24:11 client-log1 sshd[24937]: Server listening on :: port 22.
E..h.L@.@./..............T./<86>Jan 27 16:24:11 client-log1 sshd[24937]: Server listening on :: port 22.
Indeed, I see the IP address of the host who send the log, this is 172.16.0.1 in this case. But why we can't find it nowhere else ?
Well, two things:
First, the -n flag tells tcpdump to NOT lookup the DNS info.
Second, in my syslog-ng config, I have it explictly NOT performing DNS queries for incoming messages.
Based on this log message:
16:24:11.725109 IP (tos 0x0, ttl 64, id 45637, offset 0, flags [DF], proto UDP (17), length 105)
172.16.0.1.43954 > 172.16.0.254.514: SYSLOG, length: 77
Facility authpriv (10), Severity info (6)
Msg: Jan 27 16:24:11 client-log1 sshd[24898]: Received signal 15; terminating.
E..i.E@.@./..............U..<86>Jan 27 16:24:11 client-log1 sshd[24898]: Received signal 15; terminating.
Your sending devices are targeting the 172.16.0.254 on port 514. Is Logstash listening on port 514 or is that rsyslog that is listening on port 514?
Rsyslog is listenning on port 514 but send logs to logstash on different port ( 5514 ).
Indeed, The Rsyslog server has the hostname of the host 172.16.0.1 in his /etc/hosts to simulate DNS server
Ok,
I think the only thing you need to do then, is have rsyslog not parse incoming messages. (Not sure how to do that.)
Then when it forwards up to 5514, it should create a new header and add the sender's IP in the header.
Here is my log from earlier:
<13>Jan 27 09:37:45.145416 x.x.x.x <3>Jan 27 09:37:45 HOSTNAME kernel: [71957.045063] iSCSI Login timeout on Network Portal x.x.x.x:3260
The italics is what syslog-ng is putting in the header. The BOLD is the original message that syslog-ng received.
OK thanks. I will looking for that this week-end, I'll keep you in touch, but it begin to be heavy to threat for me 
Understood and happy to help, with what little I know. 
If you get hung up on rsyslog and want to try syslog-ng, let me know.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.