> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of David Lang > Sent: Tuesday, December 18, 2012 2:22 AM > To: rsyslog-users > Subject: Re: [rsyslog] imfile and omudpspoof > > By the way, as the original author of omudpspoof, I want to try and > discourage > anyone from using it if they have any other way of making things work.
If there are other ways to achive what you want, that is definitely a plus. For example, you CANNOT drop privileges with omudpspoof, because it needs low-level socket access all the time. > It is a very ugly hack, and it's performance is always going to be poor > due to > the overhead of changing the source IP address for the forgery. While the performance is far from regular forwarding, the code quality itself has improved dramatically, especially during the past days. In 7.2.5, it is a clean solution. One issue, though, that I am currently fighting with is that at least some versions of libnet seem to report "success" even when there was an error at the socket layer. That obviously makes it hard to handle errors ;) Note that libnet also seems not to be 100% thread-safe, so concurrency inside omudpspoof is limited (one caller at the same time rsyslog-globally). Rainer > > If there is any way of having the thing that's recieving the logs look > at the > server name or IP address in the message instead of having it look at > the source > IP in the syslog packet, you should do so. > > And if you are using some proprietary tool that is broken like this, > you should > complain loudly that this tool is broken if you have syslog relay > servers, > something that has been part of the syslog spec for decades. > > I wrote this module because at $work we had exactly such a system, and > after > spending >$500K on it and two years, we ended up scrapping it because > Simple > Event Correlator was faster on given hardware, more powerful, and > simpler to > maintain (not to mention being _far_ cheaper as it's Open Source), even > in very > high volume environments. > > If you don't trust the sending systems to set the hostname properly, > have your > first relay system replace the server name with the fromhost-IP of the > box that > sent the message. > > If you still need to run omudpspoof, you have my sympathies. > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
