How to forward the messages with the original IP in the header instead of sender’s IP address?

Forwarding Syslog Messages with Original IP Address

Question: When forwarding syslog messages using WinSyslog or MonitorWare Agent, the forwarded messages show the forwarding servers IP address instead of the original devices IP address. How can I preserve the original source IP?

The Challenge

This is a limitation of the traditional UDP-based syslog protocol (RFC 3164). When a syslog server receives a message and forwards it, the IP header reflects the forwarding servers address, not the original sender. This makes it difficult to identify the true source of log messages in multi-hop scenarios.

Solutions

There are several approaches to preserve the original source information, depending on your environment and requirements:

1. RFC 3164 Compliant Devices

If your devices properly implement RFC 3164, you can extract the hostname from the syslog message header:

• Enable “RFC 3164 Parsing” in MonitorWare Agent or WinSyslog
• This extracts the hostname from the syslog message itself
• Note: Many devices are not fully RFC 3164 compliant, which can result in incorrectly parsed hostnames

2. SETP Protocol (Recommended for Internal Windows Systems)

Use Adiscons proprietary SETP (Secure Event Transfer Protocol) for internal Windows-to-Windows forwarding:

• TCP-based with guaranteed delivery
• Preserves complete message information including original source
• Includes all database fields populated
• Requires SETP-compatible sender and receiver
• Best for internal network environments

See differences between SETP and Syslog for more information.

3. RELP Protocol (Recommended for Reliable Logging)

RELP (Reliable Event Logging Protocol) is a modern, TCP-based reliable transport protocol for syslog:

• RFC 3195 compatible: Standards-based protocol
• Guaranteed delivery: Acknowledgment-based message delivery
• Original source preservation: Maintains original host information
• Application-level acknowledgment: Ensures messages are received and processed
• TCP-based: Provides reliable, connection-oriented transport
• Cross-platform compatibility: Works with Unix/Linux and Windows systems

Using RELP Forward Action:

1. Open your WinSyslog or MonitorWare Agent configuration
2. Create a new Forward Action and select “RELP Forward”
3. Configure the target RELP server IP address and port (default: 20514)
4. Enable “Preserve Original Host” option if available
5. Save configuration and restart the service

Benefits of RELP:

• Message delivery confirmation (no lost logs)
• Automatic retry for failed transmissions
• Better performance than UDP for high-volume logging
• Standardized protocol for interoperability
• Supports TLS encryption for secure transport

4. XML Format Forwarding

Forward messages in XML format to preserve all metadata:

• Select “XML Format” as the output format
• Preserves all original message information
• Best suited for automated parsing systems
• Messages appear in structured XML rather than standard syslog format

5. Include Original Host Option

Add a custom tag containing the original host information:

• Enable “Include Original Host” in the syslog forwarder configuration
• Adds a tag like “FromHost: <ip>” at the beginning of the message
• Note: This is not RFC 3164 compliant, but preserves information
• Works with standard syslog receivers

Modern Syslog Standards

Newer syslog standards have addressed many limitations of traditional UDP syslog:

• RFC 5424: Structured syslog with better metadata preservation and standardized message format
• RFC 3195: Reliable syslog transport protocol (the foundation for RELP)
• RELP: Reliable Event Logging Protocol – application-level protocol for guaranteed delivery

WinSyslog and MonitorWare Agent support these modern standards and protocols.

Protocol Comparison

Recommendations

Configuration Examples

Using RELP Forward Action:

1. Open your WinSyslog or MonitorWare Agent configuration
2. Navigate to Rules and select your rule or create a new one
3. Add a new action and select “Forward Via RELP”
4. Configure the following settings:
   • Remote Host: IP address or hostname of RELP server
   • Port: 20514 (default RELP port)
   • Enable “Preserve Original Hostname” option
   • Enable TLS/SSL if secure transport is required
5. Test the connection to verify RELP handshake
6. Save configuration and restart the service

Using “Include Original Host”:

1. Open your WinSyslog or MonitorWare Agent configuration
2. Navigate to your forwarding action
3. Enable “Include Original Host” option
4. Save and restart the service

Using SETP:

1. Ensure both sender and receiver support SETP
2. Configure SETP listener on receiving server
3. Configure SETP sender action on forwarding server
4. Verify connectivity and test

Additional Considerations

• Reliability Requirements: Use RELP or SETP for production environments where message loss is unacceptable
• Network Topology: Consider your network design when choosing a solution
• Compatibility: Ensure compatibility with downstream systems
• Performance: RELP and SETP provide better performance than UDP for high-volume scenarios
• Security: Use TLS encryption with RELP for secure log transport
• Testing: Test thoroughly in a non-production environment
• Documentation: Document your forwarding configuration for future reference
• Monitoring: Monitor RELP connections for dropped connections or retry failures

Migration Path

If you are currently using UDP syslog and need to improve reliability:

1. Assess: Evaluate your current logging volume and loss rates
2. Plan: Design RELP topology with appropriate relay servers
3. Test: Deploy RELP in a test environment
4. Migrate: Gradually migrate critical systems to RELP
5. Monitor: Track message delivery rates and failures
6. Optimize: Adjust configuration based on performance metrics