> The spoofing code that I originally submitted required that the IP that > you want to be spoofed be in the template. > > so you would need to do something like: > > $template spooftemplate,"%fromhost-ip% %rawmsg%"
I just checked the code, this is no longer necessary. The to-be-spoofed IP is passed in via a separate config stmt. It defaults to fromhost-ip, so things *should* work in the way Jo has configured it. Maybe we need to add some instrumentation to see what breaks? > > rather than just rawmsg (note that if you use the -x on the command > line, > you need to use fromhost instead of fromhost-ip) Do you mean you don't have fromhost-ip set if -x is used? If so, that's a bug. Rainer > > David Lang > > On Thu, 19 Apr 2012, Jo Rhett wrote: > > > I've been debugging this all day, and I'm not sure what's wrong yet > (got some pcaps I'm staring at) but raw message forwarding as > documented doesn't work. First, as documented on > http://www.rsyslog.com/doc/omudpspoof.html > > > > $ModLoad omudpspoof > > $template spooftemplate,"%rawmsg%" > > $ActionUDPSpoofTargetHost server.example.com > > *.* :omudpspoof:;spooftemplate > > > > This doesn't work with 5.8. So revised as: > > > > $ModLoad omudpspoof > > $template spooftemplate,"%rawmsg%" > > $ActionOMUDPSpoofTargetHost server.example.com > > *.* :omudpspoof:;spooftemplate > > > > This works and sends the packet, but the remote server doesn't like > the packet. I've gotten it to work with just "%msg%" and a few other > formats, but sending the entire original message doesn't appear to > work. > > > > Some clarity might be helpful: is rsyslog breaking the message down > and rebuilding it? If so, is rawmessage likely to be producing a > pregnant/bundled message? > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
