----- Original Message ----- > From: "David Lang" <[email protected]> > To: "rsyslog-users" <[email protected]> > Sent: Tuesday, December 11, 2012 11:54:47 AM > Subject: Re: [rsyslog] imfile and omudpspoof > > On Tue, 11 Dec 2012, Rick Brown wrote: > > > I use imfile to gather application logs such as apache, tomcat, > > php, etc. and send those on to my syslog server along with the > > client machines normal syslog traffic. My syslog server then > > dutifully writes all the messages locally and additionally > > forwards the messages on to a SIEM product via omudpspoof. > > > > Watching packet captures, I can see some messages are being spoofed > > and sent on to the SIEM, but some are not. At first glance, it > > appears that all regular syslog messages that are generated on the > > client are being spoofed and sent on to the SIEM, but most, if not > > all messages generated via imfile on the client are not being > > spoofed and sent on to the SIEM at all. > > > > I've tried the standard > > *.* :omudspoof: > > > > as well as > > $template spooftemplate,"$fromhost-ip% %rawmsg%" > > *.* :omudpspoof:;spooftemplate > > note there is a typo here, it should be %fromhost-ip% not > $fromhost-ip%
Doh! Okay, fixed that and trying again.. same thing. > > and > > $template spooftemplate,"%rawmsg%" > > *.* :omudpspoof:;spooftemplate > > > > All with the same effect. Am I missing something here? Is anyone > > else doing similar, or seen similar behavior? > > > > For the record, I'm running a patched version of 5.8.11. The patch, > > now that I'm reading it again, was to protect against calling more > > than one instance of libnet code in the omudpspoof module. > > the udpspoof module grabs the first field from the template and uses > that as the > IP address to spoof from. What is the fromhost-ip when you get the > files from > imfile? Ahh, you may be onto something there.. the messages coming into my syslog server have just the hostname in it, not FQDN, and not IP address. The few that I see leaving for the SIEM have the IP address in that field of the message. Now to figure out why they're different. -- Rick Brown Office of Information Technology Georgia Institute of Technology 258 4th Street N.W. Atlanta, GA 30332-0715 email: [email protected] ph: (404) 894-6175 Calendar: https://mail.gatech.edu/home/[email protected]?fmt=freebusy _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
