The spoofing code that I originally submitted required that the IP that
you want to be spoofed be in the template.
so you would need to do something like:
$template spooftemplate,"%fromhost-ip% %rawmsg%"
rather than just rawmsg (note that if you use the -x on the command line,
you need to use fromhost instead of fromhost-ip)
David Lang
On Thu, 19 Apr 2012, Jo Rhett wrote:
I've been debugging this all day, and I'm not sure what's wrong yet (got some
pcaps I'm staring at) but raw message forwarding as documented doesn't work.
First, as documented on http://www.rsyslog.com/doc/omudpspoof.html
$ModLoad omudpspoof
$template spooftemplate,"%rawmsg%"
$ActionUDPSpoofTargetHost server.example.com
*.* :omudpspoof:;spooftemplate
This doesn't work with 5.8. So revised as:
$ModLoad omudpspoof
$template spooftemplate,"%rawmsg%"
$ActionOMUDPSpoofTargetHost server.example.com
*.* :omudpspoof:;spooftemplate
This works and sends the packet, but the remote server doesn't like the packet. I've
gotten it to work with just "%msg%" and a few other formats, but sending the
entire original message doesn't appear to work.
Some clarity might be helpful: is rsyslog breaking the message down and
rebuilding it? If so, is rawmessage likely to be producing a pregnant/bundled
message?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
