[rsyslog-notify] Forum Thread: Re: bind to specific source IP address - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Wed Jan 28 14:01:03 CET 2015 

User: dovydas 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25205#p25205

Message: 
----------
[quote="dlang":1k51xw0e]The problem is that if the best/only route to the
rsyslog destination is over one interface, trying to use a source IP that's
on another interface just won't work. You really do need to have it use an
IP address on the right network.[/quote:1k51xw0e]

>From routing perspective it will work just fine. Unless there is something
in rsyslog code that specifically prevents using fixed source IP address
otherwise it is just fine. Many application use this technique. They
specify source IP of the packet and the kernel networking system chooses
the outgoing interface depending on the destination IP. This decision
doesn't depend on the source IP.

[quote="dlang":1k51xw0e]Now, if you have multiple IP addresses on one
network, you could run into a case where rsyslog uses a different one than
you would like. I've done some iptables trickery in the past to deal with
this (NAT the connection to the IP address that you want)

The hostname in the log message should remain the same however it's
delivered, you should work with that rather than the IP address that
delivered the log to you in any case (if you go through a relay, the IP
that delivered the log to you isn't going to be the box that generated the
log anyway.

Rsyslog doesn't set the source IP (with the exception of the UDP forgery
module), it just tells the OS "I want to connect to X" and lets the OS pick
the best path, and corresponding IP address to use.[/quote:1k51xw0e]

Thank you for suggesting to use the hostname. I would like to avoid NAT as
hell. :)

I try to use $fromhost but I am out of luck.
I have replaced line 
[code:1k51xw0e]if $fromhost-ip startswith '192.168.0.1' then
/var/log/routers/router1.ipv4.log[/code:1k51xw0e]
with the line
[code:1k51xw0e]if $fromhost == 'router1' then
/var/log/routers/router1.ipv4.log[/code:1k51xw0e]

But nothing is logged in the file /var/log/routers/router1.ipv4.log. I have
captured some incoming packets with tcpdump and I can see hostname
'router1' in received syslog string. So I believe I have a mistake in
confing line. Please can you advise?

More information about the rsyslog-notify mailing list