search

Graylog2 / graylog-plugin-netflow

[DEPRECATED] Graylog NetFlow plugin
https://www.graylog.org/
Apache License 2.0
38 stars 17 forks source link

netflow source gets rewritten #31

Closed chuegel closed 6 years ago

chuegel commented 6 years ago

I'm using Graylog 2.4.3+2c41897 (Elastic/Mongo/Graylog cluster + nginx and <HAproxy) with the netflow input. Everything works perfectly but the netflow source gets rewritten with the default gateway of the container where the stack is running. Any hints?

Thanks

joschi commented 6 years ago

@huegelc There's nothing we can do to guess the original remote address of the client.

If you know it in your environment, you can set the "source" field in a custom pipeline rule: http://docs.graylog.org/en/2.4/pages/pipelines.html

We are using GitHub issues for tracking bugs in Graylog itself, but this doesn't look like one. Please post this issue to our discussion forum or join the #graylog channel on freenode IRC.

Thank you!

chuegel commented 6 years ago

You misunderstood me: with source I meant the IP of the netflow sending device. Right now, the graylogs source overview shows me the router with the wrong source IP. How does graylog figures the value behind "source"? graylog_-_search

10.0.4.1 isn´t included in the netflow raw packet nor in the udp packet

joschi commented 6 years ago

@huegelc I understood the question just fine and the response stays the same.

The "source" message field is the remote address of the client which sent the packet to Graylog. https://github.com/Graylog2/graylog-plugin-netflow/blob/15cd24ab640b7482c32ead6bc5b8069907cbf8a2/src/main/java/org/graylog/plugins/netflow/flows/NetFlowFormatter.java#L71-L73

chuegel commented 6 years ago

@joschi Thank you for your reply. But in this case the source is not correctly mapped, it should be 10.1.1.1 . A packet trace confirmis this. I do not understand how is the source populated with 10.0.4.1, the default gateway of graylog server. When using syslog as input I can see every individiual syslog sender IP, not the DG.

btw: I do not rewrite packets going into 10.0.4.0/24

joschi commented 6 years ago

@huegelc You said something about a container setup. The packet is clearly coming from the container host to Graylog.

Anyway, it's not a bug. Please move the discussion to the aforementioned community forums.

chuegel commented 6 years ago

yes, thank you.