Closed chuegel closed 6 years ago
@huegelc There's nothing we can do to guess the original remote address of the client.
If you know it in your environment, you can set the "source" field in a custom pipeline rule: http://docs.graylog.org/en/2.4/pages/pipelines.html
We are using GitHub issues for tracking bugs in Graylog itself, but this doesn't look like one. Please post this issue to our discussion forum or join the #graylog channel on freenode IRC.
Thank you!
You misunderstood me: with source I meant the IP of the netflow sending device. Right now, the graylogs source overview shows me the router with the wrong source IP. How does graylog figures the value behind "source"?
10.0.4.1 isn´t included in the netflow raw packet nor in the udp packet
@huegelc I understood the question just fine and the response stays the same.
The "source" message field is the remote address of the client which sent the packet to Graylog. https://github.com/Graylog2/graylog-plugin-netflow/blob/15cd24ab640b7482c32ead6bc5b8069907cbf8a2/src/main/java/org/graylog/plugins/netflow/flows/NetFlowFormatter.java#L71-L73
@joschi Thank you for your reply. But in this case the source is not correctly mapped, it should be 10.1.1.1 . A packet trace confirmis this. I do not understand how is the source populated with 10.0.4.1, the default gateway of graylog server. When using syslog as input I can see every individiual syslog sender IP, not the DG.
btw: I do not rewrite packets going into 10.0.4.0/24
@huegelc You said something about a container setup. The packet is clearly coming from the container host to Graylog.
Anyway, it's not a bug. Please move the discussion to the aforementioned community forums.
yes, thank you.
I'm using Graylog 2.4.3+2c41897 (Elastic/Mongo/Graylog cluster + nginx and <HAproxy) with the netflow input. Everything works perfectly but the netflow source gets rewritten with the default gateway of the container where the stack is running. Any hints?
Thanks