Hello all,
I’m working to get HAProxy to proxy syslogs from Cisco network equipment and Wazuh SEIM. I’m having an issue where the syslogs are not being properly decoded because of the header changes that HAProxy is making.
Example:
tcpdumpv -n -Q in port 514 on HAProxy
Msg: 17173731: SITE-CORE: Sep 23 11:43:44: %SEC-6-IPACCESSLOGP: list XYZ.SCAN denied tcp XXX.XXX.XXX.XXX(443) → 10.X.X.X(60464), 1 packet
Yeilds: tcpdumpv -n -Q in port 514 on Wazuh
Msg: Sep 23 15:46:41 10.X.X.X 17173731: SITE-CORE: Sep 23 11:43:44: %SEC-6-IPACCESSLOGP: list XYZ.SCAN denied tcp XXX.XXX.XXX.XXX(443) → 10.X.X.X(60464), 1 packet
I changed the frontend config to add the format flag which works and partly decodes.
log-forward syslog
dgram-bind <HAProxy IP>:514
log backend@mylog-rrb format rfc5424 local0
I would like to get HAProxy to either not alter the syslog data or remap the hostname of the device to the sent the message to the proper field in the header.
I have tried all of the option host { replace | fill | keep | append } options and nothing works.
Of note: I’m using HAProxy version 3.2.4, and logs are recieved and sent over UDP. Some of my Cisco devices don’t support sending logs in an RFC5424 format.
Thanks,
MJ
doesn’t look like a compliant rfc3164 nor rfc5424 message to me, so what probably happens is haproxy considers the whole input message as the “payload” part of the message and adds compliant rfc5424 mandatory headers in front of it, but the end logging endpoint may be unahappy with it
I would suggest to try :
- not specifying “format” on log directive to let haproxy try to guess the input format and preserve it (whether it is rfc3164 or rfc5424)
- take a look at “dont-parse-log” and “assume-rfc6587-ntf” to force haproxy to ignore errors in the log messages and let them pass through to the log endpoint
If that doesn’t help, we would appreciate if you could paste the exact input log message as received by haproxy (the tcpdump capture seems incomplete because part of the log header is stripped it seems)
Thank you for pointing out the “option dont-parse-log”, that is what I was looking for.
I’m still seeing a sequence number in my TCPDump and I would like to know how to get you exactuly what HAProxy is seeing, but I’m not sure what log to look at for that. Can you please point me in the right dirrection?
Kind regards,
MJ
1 Like
Great!
Log message should normally start with the priority enclosed within <>, followed by timestamp and then hostname
Like so:
<13>Feb 5 17:32:18 10.0.0.99 xxxxx
And in your previous tcpdump output I don’t see the priority, that’s why I suspected it was incomplete
Thank you again for your help, it apears that Cisco has no concept on how to form a proper syslog message that conforms to any RFC. Saddly I not the network engeneer so I can only take what I’m given. As long as HAProxy us not changing on me I canw work around it.