[rsyslog] UDP source forging.
david at lang.hm
david at lang.hm
Wed Mar 4 08:16:59 CET 2009
Ok, here is a diff that works.
it cycles the source IP address from 32000-42000 (since we are just
sending, and not creating a normal socket this should not matter)
it needs LIBS = /usr/lib/libnet.a in the Makefile in tools
to use it create a template that puts the hostname-ip ahead of what you
want to send, similar to
$template TraditionalFwdFormat,"%fromhost-ip% <%pri%>%timegenerated% %HOSTNAME% %syslogtag%%msg%\n"
*.* @10.0.0.100;TraditionalFwdFormat
the one problem right now is that any logs sent from the local box will go
out with a source IP of 127.0.0.1
I wasted a bit of time trying to setup filters to use a different template
if $myhostname == $fromhost, but apparently the filtering doesn't allow
comparing two properties, and then I realized that you have a very
high-performance name cache now, so you could easily replace my trivial
inet_pton(AF_INET, source_text_ip, &(source_ip.sin_addr));
line with a call to the name lookup and then the %fromhost-ip% could be
replaced by %fromhost% in the template and everything would work sanely
(assuming forward and reverse name resolution are sane ;-)
I haven't tried to do IPv6 yet, I know that it requires more effort to set
the IP layer options, but I don't know exactly what yet.
I wanted to float this first to see what you think before spending much
more time on it.
David Lang
More information about the rsyslog
mailing list