Hi all, I just wanted to let you know that I have completed this module now. It is part of the regular master branch.
Some basic doc is available here: http://www.rsyslog.com/doc-omudpspoof.html Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Rainer Gerhards > Sent: Thursday, July 09, 2009 5:57 PM > To: rsyslog-users > Subject: Re: [rsyslog] UDP source forging. > > Sorry folks, have not worked on this topic since March - but I never forget > ;) > > > -----Original Message----- > > From: [email protected] [mailto:rsyslog- > > [email protected]] On Behalf Of [email protected] > > Sent: Wednesday, March 04, 2009 8:17 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] UDP source forging. > > > > Ok, here is a diff that works. > > > > I have integrated David's UDP spoofing patch into v5-devel (master branch) as > a separate output module (named omudpspoof). I have extracted the necessary > functionality from omfwd and it now works quite well. However, the > configuration is not yet as typically found in rsyslog (not that I find it > very elegant, but consistency is a plus ;)). Also, doc is missing. My next > steps will be to address these issues. However, for those interested, I just > wanted to tell you that the git master branch now contains a version capable > of spoofing (I have verified this with both an rsyslog receiver as well as > Wireshark - hopefully I can also add an automated test for this > functionality, but this is not trivial). > > > it cycles the source IP address from 32000-42000 (since we are just > > sending, and not creating a normal socket this should not matter) > > > > it needs LIBS = /usr/lib/libnet.a in the Makefile in tools > > > > to use it create a template that puts the hostname-ip ahead of what you > > want to send, similar to > > > > $template TraditionalFwdFormat,"%fromhost-ip% <%pri%>%timegenerated% > > %HOSTNAME% %syslogtag%%msg%\n" > > > > *.* @10.0.0.100;TraditionalFwdFormat > > > > the one problem right now is that any logs sent from the local box will go > > out with a source IP of 127.0.0.1 > > > > I wasted a bit of time trying to setup filters to use a different template > > if $myhostname == $fromhost, but apparently the filtering doesn't allow > > comparing two properties > > I overlooked this in march. The script-based filter engine does not even know > that what is being compared are properties, so there is no restriction in > what can be compared. So this must either have been a config issue or a bug. > I just wanted to tell you should you come into a similar situation again. > > >, and then I realized that you have a very > > high-performance name cache now, so you could easily replace my trivial > > inet_pton(AF_INET, source_text_ip, &(source_ip.sin_addr)); > > line with a call to the name lookup and then the %fromhost-ip% could be > > replaced by %fromhost% in the template and everything would work sanely > > (assuming forward and reverse name resolution are sane ;-) > > And another point to stress: rsyslogd does *not* yet have a high-performance > cache. All it does is cache the last host (and only the last host). This > works exceptionally well if a large bunch of messages arrive from the same > host, but "cache" performance can easily be thrashed with multiple senders. > All in all, in practice, it works reasonably well, as on a busy system at > least a couple of messages are usually from the same sender. I plan to add a > real cache some time later, personally I would hope to see it this summer. > > > > > I haven't tried to do IPv6 yet, I know that it requires more effort to set > > the IP layer options, but I don't know exactly what yet. > > Omudpspoof is kept IPv4 only and I plan to work on IPv6 only if real demand > shows up. Even then, I consider it to be low priority except given very good > reasoning ;) > > Rainer > > > > > I wanted to float this first to see what you think before spending much > > more time on it. > > > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
