By the way, as the original author of omudpspoof, I want to try and discourage
anyone from using it if they have any other way of making things work.
It is a very ugly hack, and it's performance is always going to be poor due to
the overhead of changing the source IP address for the forgery.
If there is any way of having the thing that's recieving the logs look at the
server name or IP address in the message instead of having it look at the source
IP in the syslog packet, you should do so.
And if you are using some proprietary tool that is broken like this, you should
complain loudly that this tool is broken if you have syslog relay servers,
something that has been part of the syslog spec for decades.
I wrote this module because at $work we had exactly such a system, and after
spending >$500K on it and two years, we ended up scrapping it because Simple
Event Correlator was faster on given hardware, more powerful, and simpler to
maintain (not to mention being _far_ cheaper as it's Open Source), even in very
high volume environments.
If you don't trust the sending systems to set the hostname properly, have your
first relay system replace the server name with the fromhost-IP of the box that
sent the message.
If you still need to run omudpspoof, you have my sympathies.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
