On Mon, 2 Mar 2009, [email protected] wrote:
On Thu, 26 Feb 2009, Rainer Gerhards wrote:
Actually, output modules do not receive access to the full message
object. This was originally done for security reasons (do not pass more
than needed). All they can receive is the strings that are passed to
them. So the module would need to be modified so that a second string
(like ommail) is passed and that string needs to be defined as the
to-be-spoofed IP (what also enables to rewrite the source IP).
I will look into this.
I haven't had time to figure this out yet.
From all the discussion, it may make sense to start with a different
output plugin that may later be merged back into the original one...
Ok, I won't try to have it do everything and just concentrate on doing the
forging.
attached is a diff that turns the UDP forwarding into forging, currently
with a fixed from address of 1.1.1.1 port 2
I also needed to modify the makefile to add
LIBS = /usr/lib/libnet.a
for it to compile
in my research, I learned that syslog-ng uses this same library for their
forging.
so far I have avoided looking at the syslog-ng code (I wanted to
understand what was happening on my own, and I also avoid any potential
license issues until I can check on them)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
