1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<title>UDP spoofing output module (omudpspoof)</title>
</head>
<body>
<a href="rsyslog_conf_modules.html">rsyslog module reference</a>
<h1>UDP spoofing output module (omudpspoof)</h1>
<p><b>Module Name: omstdout</b></p>
<p><b>Author: </b>David Lang <david@lang.hm> and Rainer Gerhards
<rgerhards@adiscon.com></p>
<p><b>Available Since</b>: 5.1.3</p>
<p><b>Description</b>:</p>
<p>This module is similar to the regular UDP forwarder, but permits to
spoof the sender address. Also, it enables to circle through a number of
source ports.
<p><b>Configuration Directives</b>:</p>
<ul>
<li><b>$ActionOMUDPSpoofSourceNameTemplate</b> <templatename><br>
This is the name of the template that contains a
numerical IP address that is to be used as the source system IP address.
While it may often be a constant value, it can be generated as usual via the
property replacer, as long as it is a valid IPv4 address. If not specified, the
build-in default template RSYSLOG_omudpspoofDfltSourceTpl is used. This template is defined
as follows:<br>
$template RSYSLOG_omudpspoofDfltSourceTpl,"%fromhost-ip%"<br>
So in essence, the default template spoofs the address of the system the message
was received from. This is considered the most important use case.
<li><b>$ActionOMUDPSpoofTargetHost</b> <hostname><br>
Host that the messages shall be sent to.
<li><b>$ActionUDPSpoofTargetPort</b> <port><br>
Remote port that the messages shall be sent to.
<li><b>$ActionOMUDPSpoofDefaultTemplate</b> <templatename><br>
This setting instructs omudpspoof to use a template different from the
default template for all of its actions that do not have a template specified
explicitely.
<li><b>$ActionOMUDPSpoofSourcePortStart</b> <number><br>
Specifies the start value for circeling the source ports. Must be less than or
equal to the end value. Default is 32000.
<li><b>$ActionOMUDPSpoofSourcePortEnd</b> <number><br>
Specifies the ending value for circeling the source ports. Must be less than or
equal to the start value. Default is 42000.
</ul>
<b>Caveats/Known Bugs:</b>
<ul>
<li><b>IPv6</b> is currently not supported. If you need this capability, please let us
know via the rsyslog mailing list.
</ul>
<p><b>Sample:</b></p>
<p>The following sample forwards all syslog messages in standard form to the
remote server server.example.com. The original sender's address is used. We do not
care about the source port. This example is considered the typical use case for
omudpspoof.
</p>
<textarea rows="5" cols="80">$ModLoad omudpspoof
$ActionUDPSpoofTargetHost server.example.com
*.* :omudpspoof:
</textarea>
<p>The following sample forwards all syslog messages in unmodified form to the
remote server server.example.com. The sender address 192.0.2.1 with fixed
source port 514 is used.
</p>
<textarea rows="8" cols="80">$ModLoad omudpspoof
$template spoofaddr,"192.0.2.1"
$template spooftemplate,"%rawmsg%"
$ActionUDPSpoofSourceNameTemplate spoofaddr
$ActionUDPSpoofTargetHost server.example.com
$ActionUDPSpoofSourcePortStart 514
$ActionUDPSpoofSourcePortEnd 514
*.* :omudpspoof:;spooftemplate
</textarea>
<p>The following sample is similar to the previous, but uses as many defaults as possible.
In that sample, a source port in the range 32000..42000 is used. The message is formatted
according to rsyslog's canned default forwarding format. Note that if any parameters
have been changed, the previously set defaults will be used!
</p>
<textarea rows="5" cols="80">$ModLoad omudpspoof
$template spoofaddr,"192.0.2.1"
$ActionUDPSpoofSourceNameTemplate spoofaddr
$ActionUDPSpoofTargetHost server.example.com
*.* :omudpspoof:
</textarea>
<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>]
[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
<p><font size="2">This documentation is part of the
<a href="http://www.rsyslog.com/">rsyslog</a>
project.<br>
Copyright © 2009 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
<a href="http://www.adiscon.com/">Adiscon</a>.
Released under the GNU GPL version 3 or higher.</font></p>
</body></html>
|
