Open pickworth opened 8 years ago
Hi @nmors , that's too tricky to do in a cross-platform way. The best thing to do here is to configure IP tables on the box itself.
@nmors can you fill us in a bit more as to why you need this? What's your business use case.
From an implementation perspective, I'm not sure how useful this is. In many cases, spoofing only works for connectionless protocols (ICMP, UDP, etc), so anything using TCP would probably fail in this area. Sending crafted IP-layer packets requires root/administrative privilege, and one should never run Logstash with such permissions. I agree with @andrewvc that iptables (if on Linux) may be the best solution to mess with network packets.
ping @nmors? :)
Sorry had been waiting until I speak with the client that needs this. I had a meeting with them which let me understand more and have also spoken with symmantec regarding the issue. They are forwarding logs to a symmantec product. Its essentially a black box which forwards logs again to their SOC for analysis. In the case where thier parser does not 'understand' the originating host from the syslog message itself, using 'signatures', it will fallback to use the source ip of the network packet. The client is currently using kiwisyslog to work around this on windows, which utilizes winpcap to spoof the packets, and yes, they are using UDP..
I'm all for best practices, but the only solution I can offer is to use iptables snat rules which watches for traffic on 20 odd ports locally, munges the packets then ships them off. This also involves 20 if statements in logstash and 20 outputs going to different ports in order for iptables to understand what to do. There is probably a better way to do it, but this is the way i designed the proof of concept. Very hacky solution. And who knows if that 20 devices will grow to 50 in a few years. Not very scalable or elegant at all..
I'm trying to pitch to the client replacement of their existing kiwisyslog infrastructure and replace with ELK. Its just a shame that it is not a "drop in" replacement :)
I have added some info to this issue located in logstash-output-udp.
Maybe it helps to implement this new functionality.
Thanks
Hi All,
I would like to see this feature implemented, where logstash can "Spoof" a Source IP address sent in the Network layer packet.
Is this hard to implement? I know that you can accomplish this using iptables on linux (and winpcap on windows) iptables is not the right solution though, because I need to apply logic (conditional statements) to the filter. Maybe this could be implemented into the "mutate" filter, or something similar.
The problem is device would identify all traffic coming from the logstash server instead of the originating host. The purpose of this feature would be so that other devices on the other side of the output pipe would see this as coming from the spoofed IP and not the actual IP of the logstash server.
This feature is present in a product called "Kiwi Syslog" (described at the bottom of this page http://www.kiwisyslog.com/help/syslog/index.html?action_forward_to_another_host.htm )
I'm working on a big proposal to replace Kiwi Syslog with ELK(B) stack, and this is a feature required