Hello, There is `rp_filter` kernel feature that might affect you: https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/ Or this may be other routing problem, firewall or selinux. It would worth checking if the packet arrives to the next hop using tcpdump. Br, Antal ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Edvinas Kairys <edvinas.email@gmail.com> Sent: Wednesday, April 8, 2020 19:57 To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] mystique with spoof_address CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Hello, i installed (yum install) following version on Centos 7 box. syslog-ng 3.5.6 Installer-Version: 3.5.6 Revision: Compile-Date: Dec 30 2015 19:57:24 Available-Modules: affile,afprog,afsocket-notls,afsocket-tls,afsocket,afstomp,afuser,basicfuncs,confgen,cryptofuncs,csvparser,dbparser,linux-kmsg-format,syslogformat,system-source Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Pcre: on My goal is to forward syslog messages 'untouched' but to change the source address to original one. For that case i'm using spoof-address. My conf is like this: options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (no); mark-freq (0); }; source s_network { udp(ip(0.0.0.0) port(514) flags(no-parse)); }; destination d_syslog_tcp { network("10.13.33.125" transport("udp") port(5140) spoof-source(yes)); }; log { source(s_network); destination(d_syslog_tcp); }; log { source(s_network); filter(f_default); destination(d_mesg); }; # Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf" Strange thing, that when I enable spoof-source, some packets are not transmitted to the destination. Even TCPDUMP says that it's sent, but i dont see some logs on destination box. Could it be something with spoof_source command ? Also i didn't compiled it because i saw that SPOOF functionality is on in syslog-ng -V output. Any suggestions ? Thanks