On Tue, 11 Dec 2012, Rick Brown wrote:
I use imfile to gather application logs such as apache, tomcat, php, etc. and
send those on to my syslog server along with the client machines normal syslog
traffic. My syslog server then dutifully writes all the messages locally and
additionally forwards the messages on to a SIEM product via omudpspoof.
Watching packet captures, I can see some messages are being spoofed and sent on
to the SIEM, but some are not. At first glance, it appears that all regular
syslog messages that are generated on the client are being spoofed and sent on
to the SIEM, but most, if not all messages generated via imfile on the client
are not being spoofed and sent on to the SIEM at all.
I've tried the standard
*.* :omudspoof:
as well as
$template spooftemplate,"$fromhost-ip% %rawmsg%"
*.* :omudpspoof:;spooftemplate
note there is a typo here, it should be %fromhost-ip% not $fromhost-ip%
and
$template spooftemplate,"%rawmsg%"
*.* :omudpspoof:;spooftemplate
All with the same effect. Am I missing something here? Is anyone else doing
similar, or seen similar behavior?
For the record, I'm running a patched version of 5.8.11. The patch, now that
I'm reading it again, was to protect against calling more than one instance of
libnet code in the omudpspoof module.
the udpspoof module grabs the first field from the template and uses that as the
IP address to spoof from. What is the fromhost-ip when you get the files from
imfile?
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
