Ok,
 
I have tried everything you have given men and I am still coming up with nothing... Here is the output of my ldd:
ldd /usr/local/sbin/syslog-ng
        libpthread.so.1 =>       /usr/lib/libpthread.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libdoor.so.1 =>  /usr/lib/libdoor.so.1
        libresolv.so.2 =>        /usr/lib/libresolv.so.2
        libxnet.so.1 =>  /usr/lib/libxnet.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libdl.so.1 =>    /usr/lib/libdl.so.1
        libmp.so.2 =>    /usr/lib/libmp.so.2
        libthread.so.1 =>        /usr/lib/libthread.so.1
        /usr/platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1
 
 
Notice libxnet. Should I be using it? Can it be causing the problem? How do I tell syslog-ng at compile time to use libnet.a or libnet.so?
 
On 10/14/05, Nate Campi <nate@campin.net> wrote:
Ellis,

I didn't mention in my email to you that you'll want the libnet.so file
in /tmp/foo - but first make sure you're dynamically liked using the ldd
command:

-0-[root@duo:masterfiles]# ldd /sbin/syslog-ng
       libnsl.so.1 => /lib/libnsl.so.1 (0x40028000)
       libresolv.so.2 => /lib/libresolv.so.2 (0x4003c000)
       libc.so.6 => /lib/libc.so.6 (0x4004e000)
       /lib/ld-linux.so.2 (0x40000000)

You should see libnet.so in there somewhere if you're dynamically
linked. If you're statically linked then you have to narrow it down with
truss as Bazsi has said.

Good luck,
Nate

On Fri, Oct 14, 2005 at 05:35:13PM +0200, Balazs Scheidler wrote:
> On Thu, 2005-10-13 at 15:57 -0400, Chance Ellis wrote:
> > Ok,
> >
> > I copied the the Solaris 8 libnet-config file to the /tmp/foo folder
> > on Solaris 9. I then ran:
> >
> > LD_LIBRARY_PATH=/tmp/foo:$LD_LIBRARY_PATH
> > truss /usr/local/sbin/syslog-ng -f /usr/local/etc/syslog-ng.conf -F &
> >
> >
> > I get the same result... Whenever I apply the spoof_source(yes) to the
> > config I do not get any messages forwarded to the destination. If I
> > remove the spoof_source(yes) messages flow but with the source IP
> > address from the syslog-ng server...
> >
> > The truss output is quite huge! Is there any piece of the truss output
> > that would help me to troubleshoot this? Is libnet-config the only
> > thing I need or do I need something in addition to libnet-config?
>
> libnet-config is not used at all while running syslog-ng, it is a
> build-time script that is invoked to query header location and linking
> information about the libnet library.
>
> libnet is usually linked statically, so there's no point in setting
> LD_LIBRARY_PATH either, you can check which one syslog-ng is using by
> using "ldd" and/or checking if you have a libnet.a file (static), or
> libnet.so file (dynamic), or both. If you have both, the linking
> parameters determine which one is used by syslog-ng, in this case ldd
> should tell you the truth.
>
> To analyze the truss path, you should look for the pattern of the
> message that should be sent out with a spoofed source address, and then
> you should see system calls like recvmsg() when the message is received
> and either send() or write() when it is sent. libnet uses raw sockets to
> send messages, syslog-ng is probably opening AF_INET, SOCK_RAW sockets
> in that case.
>
> Although Solaris uses socket emulation and thus the actual system calls
> you see in the truss output might not be the same as in Linux, this is
> pretty straightforward. By the way, it might be easier to analyze the
> truss output if you are running a syslog-ng instance which does not
> actually deliver a lot of messages, but only a single one, this way the
> truss output will not be so large.

--
Nate

"Often, when I am reading a good book, I stop and thank my teacher. That
is, I used to, until she got an unlisted number." - Unknown 15-year-old