Hi David, the problem arose when I sent log packets to the remote log server. There I wanted to filter out these log messages based on the sending IP address. I was wondering wy my filter rule never matched until I recognized (after some time of debugging: is there a easy way to introspect expression variables?) that the IP address of the packets are different to the one I expected. I was so sure that the main IP address would be taken that I never thought about this possibility (yes, yes, assumptions and IT: these two don't fit well ;-) )
This is the scenario. Suggestions for a "better way" welcome. Best regards Andreas Mock -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von David Lang Gesendet: Mittwoch, 19. Februar 2014 02:25 An: rsyslog-users Betreff: Re: [rsyslog] How to config the IP address of outgoing upd/tcp log messages The only module that allows specifying the from address is the omudpspoof module which can fake it per message What is it you are trying to accomplish? David Lang On Tue, 18 Feb 2014, Andreas Mock wrote: > Date: Tue, 18 Feb 2014 12:15:02 +0000 > From: Andreas Mock <[email protected]> > Reply-To: rsyslog-users <[email protected]> > To: rsyslog-users <[email protected]> > Subject: Re: [rsyslog] How to config the IP address of outgoing upd/tcp > log > messages > > Hi Rainer, > > your answer explains why I searched for a phantom in the documentation... ;-) > > Thank you > Andreas Mock > > > -----Ursprüngliche Nachricht----- > Von: [email protected] > [mailto:[email protected]] Im Auftrag von Rainer Gerhards > Gesendet: Dienstag, 18. Februar 2014 12:20 > An: rsyslog-users > Betreff: Re: [rsyslog] How to config the IP address of outgoing upd/tcp log > messages > > On Tue, Feb 18, 2014 at 10:42 AM, Andreas Mock > <[email protected]>wrote: > >> Hi David, >> >> thank you for your answer. >> >> a) Yes, I meant the source IP of the outgoing log packet. >> b) Do I understand it right that there is no way to influence >> which IP is taken in the case there are two equivalent (in the >> sense of routing) IP adresses? A kind of explicit binding? >> >> > I think it's not implemented. Maybe in the current versions. > > Rainer > > >> Best regards >> Andreas Mock >> >> >> -----Ursprüngliche Nachricht----- >> Von: [email protected] [mailto: >> [email protected]] Im Auftrag von David Lang >> Gesendet: Dienstag, 18. Februar 2014 08:16 >> An: rsyslog-users >> Betreff: Re: [rsyslog] How to config the IP address of outgoing upd/tcp >> log messages >> >> On Mon, 17 Feb 2014, Andreas Mock wrote: >> >>> Hi all, >>> >>> after hours of debugging a problem (rsyslog 5.8.10) and searching the >> docs and google >>> I'm totally frustrated and want to ask you the following: >>> >>> - I want to send log messages out to a remote syslog server => no problem >>> - But I don't know how to tell the sending side to use a certain IP >> address. >>> I have bound two IP addresses to one device and the IP address of the >> alias and >>> NOT the main interface is taken. >>> - Can someone explain the rules which IP address is taken and how I can >> influence it? >> >> when you say "which IP address is taken" do you mean the source IP address >> for >> the packet? >> >> If so, the answer is that unless you set things up otherwise with iptables >> tricks, the source IP is going to be the IP of the interface picked by the >> routing table to get to that destination, exactly the same way that the >> source >> IP would be selected for SSH, your web browser, or just about every other >> piece >> of software on your system. >> >> David Lang >> >>> Some information: >>> - 'uname -n' is "test" >>> - host "test" resolves to main ip >>> - host "main ip" resolves to "test.full.domain" >>> - hostname resolves to "test" >>> - hostname -d resolves to "full.domain" >>> >>> >>> >>> Best regards >>> Andreas Mock >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
