On Tue, 2005-10-18 at 14:28 -0400, Jay Benfield wrote:
For those new to this thread and wanting the Cliffs Notes, we have been unable to get the 'spoof_source' feature working under Solaris 9. In spite of syslog-ng being compiled with the --enable-spoof-source option and the corresponding dependencies satisfied to the best of my knowledge, when 'spoof_source(yes)' is present in a destination like:
destination d_foo { udp("<ip>" port(514) spoof_source(yes)); };
with a corresponding log statement like:
log { source(net); destination(d_foo); };
the destination syslog server does not receive a message at all. If 'spoof_source(yes)' is removed from the configuration the syslog message is received - sans source spoofing as expected.
To make things even more interesting, we have a Solaris 8 server running the same versions of software with the exact syslog-ng configuration that works flawlessly. Both boxen are running the following:
- syslog-ng 1.6.8 - libol 0.3.16 - libnet 1.1.2.1
I captured the truss output of 'syslog-ng -dv' for a single message on both the Solaris 8 server (operational) and the Solaris 9 server (soon to become a boat anchor) with spoof_source enabled. I've made these text files available at the following URL's:
http://benfield.org/lists/syslog-ng/truss_1message_sol8_20051018-01.txt http://benfield.org/lists/syslog-ng/truss_1message_sol9_20051018-01.txt
I've also uploaded the truss output from the Solaris 9 server prior to the syslog message being received.
http://benfield.org/lists/syslog-ng/truss_initial_sol9_20051018-01.txt
Please let me know if any other information would be helpful. I appreciate everyone's help!
As I see from the truss output, the raw socket is opened (it becomes fd number 8), but no message is written to this fd afterwards for some reason. so_socket(PF_INET, SOCK_RAW, IPPROTO_RAW, "", 1) = 8 setsockopt(8, ip, 2, 0xFFBFF864, 4, 1) = 0 getsockopt(8, SOL_SOCKET, SO_SNDBUF, 0xFFBFF864, 0xFFBFF860, 1) = 0 setsockopt(8, SOL_SOCKET, SO_SNDBUF, 0xFFBFF864, 4, 1) = 0 I can also see that instead of fd 8, syslog-ng writes the formatted UDP packet to fd 10, which is probably opened during initialization but was stripped from the truss output: setsockopt(8, SOL_SOCKET, SO_SNDBUF, 0xFFBFF864, 4, 1) = 0 // MESSAGE ABOVE REPEATED ELEVENTY-BILLION TIMES setsockopt(10, SOL_SOCKET, SO_SNDBUF, 0xFFBFF864, 4, 1) Err#132 ENOBUFS setsockopt(10, SOL_SOCKET, SO_BROADCAST, 0xFFBFF864, 4, 1) = 0 so syslog-ng definitely sends off a packet using fd 10, but I don't know what fd 10 is. Could you check your complete truss output to check whether it is there? Another question whether you one or two spoof_source enabled destination? As it seems you have at least two, because two similar fds are opened. Nevertheless syslog-ng (more precisely libnet) sends off the packet here: sendto(10, " E10\0 Z\0\0\0\0 @11 dED".., 90, 0, 0xFFBFF3C0, 16) = 90 basically it is the same as on Solaris 8: sendto(8, " E10\0 Z\0\0\0\0 @11 dED".., 90, 0, 0xFFBEF2F8, 16) = 90 (the only difference is the fd number used, but it does not really matter) My suspicion is that there's some packet filter/OS issue that prevents RAW sockets to work properly. Are you sure you cannot see the packet if you snoop the outgoing interface? Do you have proper outgoing routes? -- Bazsi