| Current Path : /usr/local/share/doc/syslog-ng/ |
FreeBSD hs32.drive.ne.jp 9.1-RELEASE FreeBSD 9.1-RELEASE #1: Wed Jan 14 12:18:08 JST 2015 root@hs32.drive.ne.jp:/sys/amd64/compile/hs32 amd64 |
| Current File : //usr/local/share/doc/syslog-ng/README.spoof |
syslog-ng includes a feature called spoof-source which makes it possible to
spoof the original source address of forwarded syslog packets. This means
that if syslog-ng receives a message from a router then syslog-ng is able to
resend this message in the name of this router (from the same IP) even if
this address is not local to the syslog-ng host.
Compiling spoof-source
======================
Spoof-source is a compile time feature, it must be enabled when running
configure, like this:
./configure --enable-spoof-source
The implementation of spoof-source relies on libnet to do portable packet
mangling, thus it requires a copy of libnet (at least version 1.1) to be
installed. The script named libnet-config is needed to discover various
libnet settings, thus if libnet-config is not installed, the command line
above changes to:
./configure --enable-spoof-source --with-libnet=<path/to/compiled libnet source>
libnet is available as the part of most Linux distributions, but can also be
installed from source, it is located at http://www.packetfactory.net/libnet/
Using spoof-source
==================
Spoof-source is only supported by UDP destinations and can be enabled by a
simple option named "spoof-source" like this:
--- syslog-ng.conf ---
source src { udp(); internal(); };
destination dst_spoof { udp("10.0.0.2" spoof-source(yes)); };
log { source(src); destination(dst); };
--- end of syslog-ng.conf ---
Limitations of spoof-source
===========================
- Spoof-source can only spoof source addresses for packets that were received
via some IPv4 network device (ie. either one of the tcp() or udp() drivers)
- If creating a raw packet fails for some reason the udp() driver falls back
to simple socket transport, thus the original source address will not be spoofed.