syslog entries stored under wrong device when using docker bridge network

[mtoupsUNO]

My config:

• docker host (networks: eth0:192.168.1.10, docker0:172.17.0.1)
  • docker version 18.09.8
• docker container: jarischaefer/docker-librenms:latest
  • ports: 8668->80/tcp, 514/tcp, 514/udp
  • env: ENABLE_SYSLOG=true
• linux host (eth0: 192.168.1.8)
  • rsyslogd configured to send logs to *.* @192.168.1.10:514

Both 192.168.1.8 and 172.17.0.1 are added as devices within librenms. When linux host generates syslog traffic:

• expected behavior: syslog entry is recorded and displayed by librenms under syslog entries for the linux host, 192.168.1.8
• actual behavior: syslog entry is recorded and displayed by librenms under syslog entries for the docker host, 172.17.0.1

It appears to me that librenms sees the incoming udp traffic as coming from the wrong source. This may actually be docker's fault, because of how it handles the network traffic, see https://github.com/docker/for-linux/issues/182

I worked around this issue by changing the librenms container's network to a macvlan network, so my librenms container would have its own IP address. I thought others might find this information useful.

[E-t-z]

It is Docker issue, caused by bridge network and NAT. It is so by design. (LibreNMS container does not see your actual device address, and sees Docker host as source)

Nothing we can do about.

Only solution is to run LibreNMS container network on Docker as host not bridge.

[mtoupsUNO]

I suggest making a note of this in the documentation (https://github.com/jarischaefer/docker-librenms#syslog) so that others can avoid being surprised by it.

[jarischaefer]

Sorry for the delay, I will try to get this done soon.

[jarischaefer]

@mtoupsUNO Could you please check whether the new explanation is sufficient?

[plopes9000]

It is working for me with the option for syslog-ng 'keep-hostname(yes);'

docker compose file:

  syslogng:
    image: librenms/librenms:latest
    container_name: librenms_syslogng
    hostname: librenms-syslogng
    ...
    ... 
    volumes:
      - /opt/librenms:/data
      - /opt/librenms/syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf # OVERRIDE DOCKER FILE

Own syslog-ng.conf /opt/librenms/syslog-ng.conf

@version:3.38

options {
    chain_hostnames(off);
    flush_lines(0);
    use_dns(no);
    use_fqdn(no);
    owner("root");
    group("adm");
    perm(0640);
    stats_freq(0);
    keep-hostname(yes);
    bad_hostname("^gconfd$");
};

source s_sys {
    system();
    internal();
};

source s_net {
    tcp(ip(0.0.0.0), port(514), max-connections(300));
    udp(ip(0.0.0.0), port(514));
    unix-stream("/run/syslog-ng/syslog-ng.sock");
};

destination d_librenms {
    program("/opt/librenms/syslog.php" template ("$HOST||$FACILITY||$PRIORITY||$LEVEL||$TAG||$R_YEAR-$R_MONTH-$R_DAY $R_HOUR:$R_MIN:$R_SEC||$MSG||$PROGRAM\n") template-escape(yes));
};

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or (facility(news) and level(crit..emerg)); };
filter f_boot       { facility(local7); };
filter f_cron       { facility(cron); };

log {
    source(s_net);
    source(s_sys);
    destination(d_librenms);
};
@include "/data/syslog-ng/*.conf"