<span class="gmail_quote"></span>
<div>Ok,</div>
<div> </div>
<div>I have tried everything you have given men and I am still coming up with nothing... Here is the output of my ldd:</div>
<div>ldd /usr/local/sbin/syslog-ng<br> libpthread.so.1 => /usr/lib/libpthread.so.1<br> libnsl.so.1 => /usr/lib/libnsl.so.1<br> libsocket.so.1 => /usr/lib/libsocket.so.1<br>
libdoor.so.1 => /usr/lib/libdoor.so.1<br> libresolv.so.2 => /usr/lib/libresolv.so.2<br> libxnet.so.1 => /usr/lib/libxnet.so.1<br> libc.so.1 => /usr/lib/libc.so.1<br> libdl.so.1
=> /usr/lib/libdl.so.1<br> libmp.so.2 => /usr/lib/libmp.so.2<br> libthread.so.1 => /usr/lib/libthread.so.1<br> /usr/platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1<br> </div>
<div> </div>
<div>Notice libxnet. Should I be using it? Can it be causing the problem? How do I tell syslog-ng at compile time to use libnet.a or libnet.so? <br> </div>
<div><span class="e" id="q_106fff833293c930_1">
<div><span class="gmail_quote">On 10/14/05, <b class="gmail_sendername">Nate Campi</b> <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:nate@campin.net" target="_blank">nate@campin.net</a>> wrote:
</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Ellis,<br><br>I didn't mention in my email to you that you'll want the libnet.so file<br>in /tmp/foo - but first make sure you're dynamically liked using the ldd
<br>command:<br><br>-0-[root@duo:masterfiles]# ldd /sbin/syslog-ng<br> libnsl.so.1 => /lib/libnsl.so.1 (0x40028000)<br> libresolv.so.2 => /lib/libresolv.so.2 (0x4003c000)<br> libc.so.6 => /lib/libc.so.6 (0x4004e000)
<br> /lib/ld-linux.so.2 (0x40000000)<br><br>You should see libnet.so in there somewhere if you're dynamically<br>linked. If you're statically linked then you have to narrow it down with<br>truss as Bazsi has said.<br>
<br>Good luck,<br>Nate<br><br>On Fri, Oct 14, 2005 at 05:35:13PM +0200, Balazs Scheidler wrote:<br>> On Thu, 2005-10-13 at 15:57 -0400, Chance Ellis wrote:<br>> > Ok,<br>> ><br>> > I copied the the Solaris 8 libnet-config file to the /tmp/foo folder
<br>> > on Solaris 9. I then ran:<br>> ><br>> > LD_LIBRARY_PATH=/tmp/foo:$LD_LIBRARY_PATH<br>> > truss /usr/local/sbin/syslog-ng -f /usr/local/etc/syslog-ng.conf -F &<br>> ><br>> ><br>
> > I get the same result... Whenever I apply the spoof_source(yes) to the<br>> > config I do not get any messages forwarded to the destination. If I<br>> > remove the spoof_source(yes) messages flow but with the source IP
<br>> > address from the syslog-ng server...<br>> ><br>> > The truss output is quite huge! Is there any piece of the truss output<br>> > that would help me to troubleshoot this? Is libnet-config the only
<br>> > thing I need or do I need something in addition to libnet-config?<br>><br>> libnet-config is not used at all while running syslog-ng, it is a<br>> build-time script that is invoked to query header location and linking
<br>> information about the libnet library.<br>><br>> libnet is usually linked statically, so there's no point in setting<br>> LD_LIBRARY_PATH either, you can check which one syslog-ng is using by<br>> using "ldd" and/or checking if you have a
libnet.a file (static), or<br>> libnet.so file (dynamic), or both. If you have both, the linking<br>> parameters determine which one is used by syslog-ng, in this case ldd<br>> should tell you the truth.<br>><br>
> To analyze the truss path, you should look for the pattern of the<br>> message that should be sent out with a spoofed source address, and then<br>> you should see system calls like recvmsg() when the message is received
<br>> and either send() or write() when it is sent. libnet uses raw sockets to<br>> send messages, syslog-ng is probably opening AF_INET, SOCK_RAW sockets<br>> in that case.<br>><br>> Although Solaris uses socket emulation and thus the actual system calls
<br>> you see in the truss output might not be the same as in Linux, this is<br>> pretty straightforward. By the way, it might be easier to analyze the<br>> truss output if you are running a syslog-ng instance which does not
<br>> actually deliver a lot of messages, but only a single one, this way the<br>> truss output will not be so large.<br><br>--<br>Nate<br><br>"Often, when I am reading a good book, I stop and thank my teacher. That
<br>is, I used to, until she got an unlisted number." - Unknown 15-year-old<br><br><br></blockquote></div><br></span></div><br clear="all">