[rsyslog-notify] Forum Thread: Re: Getting omudpspoof for 5.8.6 on Ubuntu LTS - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Mon Aug 25 20:29:49 CEST 2014
User: treesloth
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24877#p24877
Message:
----------
[quote="rgerhards":2gqr34pg]What David means is that a RFC-compliant
receiver should pull the originating host from the hostname field of the
message, and not rely on the sender's IP address. As you see in your case,
the sender address is really nothing that can be used inside a relay chain.
There is no need to warn about omudpspoof performance, other than that it
is a much more costly operation than regular forwarding - just like writing
to a database is more costly than writing to a flat file.
What David meant (I guess) is that you should ask yourself why you need the
original sender's IP address on the central collector vs. the original
sender's hostname (from the message). With well-behaving systems, there is
no need to put anything special (like omudpspoof) into relay chains.
Regarding 5.8.6: I don't remember if the module was available for that
version. If so, and if you find no package, you can pull the version via
the v5.8.6 tag from github and compile the version yourself. A much better
alternative is the use the currently supported 8.4 version.
HTH
Rainer[/quote:2gqr34pg]
Thanks for the reply. That makes sense. I assumed that there would be
some overhead from the spoofing operation, but don't have a real idea of
how much. After research over the weekend, I was also reaching the
conclusion that I would have to compile it.
As you can probably guess, I'm working on an in-place system, and I didn't
make it. I was curious about that. Apparently that was the default
install on Ubuntu 12.04 LTS. On my 14.04 desktop the default is 7.4.4.
More information about the rsyslog-notify
mailing list