[rsyslog-notify] Forum Thread: Re: bind to specific source IP address - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Wed Jan 28 20:56:39 CET 2015 

User: dlang 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25207#p25207

Message: 
----------
[quote="dovydas":2l0xlr7r][quote="dlang":2l0xlr7r]The problem is that if
the best/only route to the rsyslog destination is over one interface,
trying to use a source IP that's on another interface just won't work. You
really do need to have it use an IP address on the right
network.[/quote:2l0xlr7r]

>From routing perspective it will work just fine. Unless there is something
in rsyslog code that specifically prevents using fixed source IP address
otherwise it is just fine. Many application use this technique. They
specify source IP of the packet and the kernel networking system chooses
the outgoing interface depending on the destination IP. This decision
doesn't depend on the source IP.
[/quote:2l0xlr7r]

That works as long as replies can go back to that IP address. Remember that
the system you are sending to is not going to know what's going on with
your system. If you lock it down to using a specific source IP you are also
effectivly locking it down to using that network because even if you can
send the packet out the other network (and there aren't any filters
preventing you from sending packets with an invalid source there), the
replies are going to be directed back to the other interface.


[quote="dovydas":2l0xlr7r][quote="dlang":2l0xlr7r]Now, if you have multiple
IP addresses on one network, you could run into a case where rsyslog uses a
different one than you would like. I've done some iptables trickery in the
past to deal with this (NAT the connection to the IP address that you want)

The hostname in the log message should remain the same however it's
delivered, you should work with that rather than the IP address that
delivered the log to you in any case (if you go through a relay, the IP
that delivered the log to you isn't going to be the box that generated the
log anyway.

Rsyslog doesn't set the source IP (with the exception of the UDP forgery
module), it just tells the OS "I want to connect to X" and lets the OS pick
the best path, and corresponding IP address to use.[/quote:2l0xlr7r]

Thank you for suggesting to use the hostname. I would like to avoid NAT as
hell. :)

I try to use $fromhost but I am out of luck.
[/quote:2l0xlr7r]
$fromhost-ip is what ip address the packet looks like it came from. This
will show the relay if the log is relayed, or the firewall if you go
through a NAT connection
$fromhost is a DNS lookup of $fromhost-ip

What you want to use is $hostname, that's the value that the sender put in
the message.

More information about the rsyslog-notify mailing list