Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: RSyslog: users

rawmessage forwarding doesn't appear to work

 

 

RSyslog users RSS feed   Index | Next | Previous | View Threaded


jrhett at netconsonance

Apr 19, 2012, 5:52 PM

Post #1 of 8 (613 views)
Permalink
rawmessage forwarding doesn't appear to work

I've been debugging this all day, and I'm not sure what's wrong yet (got some pcaps I'm staring at) but raw message forwarding as documented doesn't work. First, as documented on http://www.rsyslog.com/doc/omudpspoof.html

$ModLoad omudpspoof
$template spooftemplate,"%rawmsg%"
$ActionUDPSpoofTargetHost server.example.com
*.* :omudpspoof:;spooftemplate

This doesn't work with 5.8. So revised as:

$ModLoad omudpspoof
$template spooftemplate,"%rawmsg%"
$ActionOMUDPSpoofTargetHost server.example.com
*.* :omudpspoof:;spooftemplate

This works and sends the packet, but the remote server doesn't like the packet. I've gotten it to work with just "%msg%" and a few other formats, but sending the entire original message doesn't appear to work.

Some clarity might be helpful: is rsyslog breaking the message down and rebuilding it? If so, is rawmessage likely to be producing a pregnant/bundled message?

--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


david at lang

Apr 19, 2012, 6:07 PM

Post #2 of 8 (591 views)
Permalink
Re: rawmessage forwarding doesn't appear to work [In reply to]

The spoofing code that I originally submitted required that the IP that
you want to be spoofed be in the template.

so you would need to do something like:

$template spooftemplate,"%fromhost-ip% %rawmsg%"

rather than just rawmsg (note that if you use the -x on the command line,
you need to use fromhost instead of fromhost-ip)

David Lang

On Thu, 19 Apr 2012, Jo Rhett wrote:

> I've been debugging this all day, and I'm not sure what's wrong yet (got some pcaps I'm staring at) but raw message forwarding as documented doesn't work. First, as documented on http://www.rsyslog.com/doc/omudpspoof.html
>
> $ModLoad omudpspoof
> $template spooftemplate,"%rawmsg%"
> $ActionUDPSpoofTargetHost server.example.com
> *.* :omudpspoof:;spooftemplate
>
> This doesn't work with 5.8. So revised as:
>
> $ModLoad omudpspoof
> $template spooftemplate,"%rawmsg%"
> $ActionOMUDPSpoofTargetHost server.example.com
> *.* :omudpspoof:;spooftemplate
>
> This works and sends the packet, but the remote server doesn't like the packet. I've gotten it to work with just "%msg%" and a few other formats, but sending the entire original message doesn't appear to work.
>
> Some clarity might be helpful: is rsyslog breaking the message down and rebuilding it? If so, is rawmessage likely to be producing a pregnant/bundled message?
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


rgerhards at hq

Apr 19, 2012, 10:34 PM

Post #3 of 8 (606 views)
Permalink
Re: rawmessage forwarding doesn't appear to work [In reply to]

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Jo Rhett
> Sent: Friday, April 20, 2012 2:53 AM
> To: rsyslog-users
> Subject: [rsyslog] rawmessage forwarding doesn't appear to work
>
> I've been debugging this all day, and I'm not sure what's wrong yet
> (got some pcaps I'm staring at) but raw message forwarding as
> documented doesn't work. First, as documented on
> http://www.rsyslog.com/doc/omudpspoof.html
>
> $ModLoad omudpspoof
> $template spooftemplate,"%rawmsg%"
> $ActionUDPSpoofTargetHost server.example.com
> *.* :omudpspoof:;spooftemplate
>
> This doesn't work with 5.8. So revised as:
>
> $ModLoad omudpspoof
> $template spooftemplate,"%rawmsg%"
> $ActionOMUDPSpoofTargetHost server.example.com
> *.* :omudpspoof:;spooftemplate

Thanks - the doc was incorrect. I just fixed it (inside git so far).
>
> This works and sends the packet, but the remote server doesn't like the
> packet. I've gotten it to work with just "%msg%" and a few other
> formats, but sending the entire original message doesn't appear to
> work.
>
> Some clarity might be helpful: is rsyslog breaking the message down and
> rebuilding it? If so, is rawmessage likely to be producing a
> pregnant/bundled message?

In theory, the message is processed, but if you use just the rawmsg property,
this *is* the raw message exactly as it was received. So the message is not
altered in that case.

Rainer
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


rgerhards at hq

Apr 19, 2012, 10:36 PM

Post #4 of 8 (590 views)
Permalink
Re: rawmessage forwarding doesn't appear to work [In reply to]

> The spoofing code that I originally submitted required that the IP that
> you want to be spoofed be in the template.
>
> so you would need to do something like:
>
> $template spooftemplate,"%fromhost-ip% %rawmsg%"

I just checked the code, this is no longer necessary. The to-be-spoofed IP is
passed in via a separate config stmt. It defaults to fromhost-ip, so things
*should* work in the way Jo has configured it. Maybe we need to add some
instrumentation to see what breaks?

>
> rather than just rawmsg (note that if you use the -x on the command
> line,
> you need to use fromhost instead of fromhost-ip)

Do you mean you don't have fromhost-ip set if -x is used? If so, that's a
bug.
Rainer

>
> David Lang
>
> On Thu, 19 Apr 2012, Jo Rhett wrote:
>
> > I've been debugging this all day, and I'm not sure what's wrong yet
> (got some pcaps I'm staring at) but raw message forwarding as
> documented doesn't work. First, as documented on
> http://www.rsyslog.com/doc/omudpspoof.html
> >
> > $ModLoad omudpspoof
> > $template spooftemplate,"%rawmsg%"
> > $ActionUDPSpoofTargetHost server.example.com
> > *.* :omudpspoof:;spooftemplate
> >
> > This doesn't work with 5.8. So revised as:
> >
> > $ModLoad omudpspoof
> > $template spooftemplate,"%rawmsg%"
> > $ActionOMUDPSpoofTargetHost server.example.com
> > *.* :omudpspoof:;spooftemplate
> >
> > This works and sends the packet, but the remote server doesn't like
> the packet. I've gotten it to work with just "%msg%" and a few other
> formats, but sending the entire original message doesn't appear to
> work.
> >
> > Some clarity might be helpful: is rsyslog breaking the message down
> and rebuilding it? If so, is rawmessage likely to be producing a
> pregnant/bundled message?
> >
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


david at lang

Apr 19, 2012, 11:37 PM

Post #5 of 8 (590 views)
Permalink
Re: rawmessage forwarding doesn't appear to work [In reply to]

On Fri, 20 Apr 2012, Rainer Gerhards wrote:

>> (note that if you use the -x on the command line, you need to use
>> fromhost instead of fromhost-ip)
>
> Do you mean you don't have fromhost-ip set if -x is used? If so, that's a
> bug.

I haven't checked on 6.x, or the latest release of 5.x, but on at least
some of 5.x that is the case, if -x is used fromhost has the IP and
fromhost-ip is blank.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


rgerhards at hq

Apr 20, 2012, 12:33 AM

Post #6 of 8 (594 views)
Permalink
Re: rawmessage forwarding doesn't appear to work [In reply to]

David, any specifc plugin I need to check? Or just general?
Rainer
"david [at] lang" <david [at] lang> hat geschrieben:On Fri, 20 Apr 2012, Rainer Gerhards wrote:

>> (note that if you use the -x on the command line, you need to use
>> fromhost instead of fromhost-ip)
>
> Do you mean you don't have fromhost-ip set if -x is used? If so, that's a
> bug.

I haven't checked on 6.x, or the latest release of 5.x, but on at least
some of 5.x that is the case, if -x is used fromhost has the IP and
fromhost-ip is blank.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


david at lang

Apr 20, 2012, 7:52 AM

Post #7 of 8 (591 views)
Permalink
Re: rawmessage forwarding doesn't appear to work [In reply to]

I just use UDP, so I don't know about others.

David Lang

On Fri, 20 Apr 2012, Rainer Gerhards wrote:

> Date: Fri, 20 Apr 2012 09:33:31 +0200
> From: Rainer Gerhards <rgerhards [at] hq>
> Reply-To: rsyslog-users <rsyslog [at] lists>
> To: rsyslog [at] lists
> Subject: Re: [rsyslog] rawmessage forwarding doesn't appear to work
>
> David, any specifc plugin I need to check? Or just general?
> Rainer
> "david [at] lang" <david [at] lang> hat geschrieben:On Fri, 20 Apr 2012, Rainer Gerhards wrote:
>
>>> (note that if you use the -x on the command line, you need to use
>>> fromhost instead of fromhost-ip)
>>
>> Do you mean you don't have fromhost-ip set if -x is used? If so, that's a
>> bug.
>
> I haven't checked on 6.x, or the latest release of 5.x, but on at least
> some of 5.x that is the case, if -x is used fromhost has the IP and
> fromhost-ip is blank.
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


rgerhards at hq

Apr 20, 2012, 9:58 AM

Post #8 of 8 (594 views)
Permalink
Re: rawmessage forwarding doesn't appear to work [In reply to]

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of david [at] lang
> Sent: Friday, April 20, 2012 4:52 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rawmessage forwarding doesn't appear to work
>
> I just use UDP, so I don't know about others.

I just tried with that latest 5.8.10 and 5.4.0 (as a random older version). I
could not reproduce the problem in both cases. I would appreciate if you
could either 5.8.10 or let me know the version number of a version where you
had the problem. I'd like to see if I can reproduce - or if it is
environment-induced.

Thanks,
Rainer
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

RSyslog users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.