On Thu, 2005-10-13 at 15:57 -0400, Chance Ellis wrote:
Ok,
I copied the the Solaris 8 libnet-config file to the /tmp/foo folder on Solaris 9. I then ran:
LD_LIBRARY_PATH=/tmp/foo:$LD_LIBRARY_PATH truss /usr/local/sbin/syslog-ng -f /usr/local/etc/syslog-ng.conf -F &
I get the same result... Whenever I apply the spoof_source(yes) to the config I do not get any messages forwarded to the destination. If I remove the spoof_source(yes) messages flow but with the source IP address from the syslog-ng server...
The truss output is quite huge! Is there any piece of the truss output that would help me to troubleshoot this? Is libnet-config the only thing I need or do I need something in addition to libnet-config?
libnet-config is not used at all while running syslog-ng, it is a build-time script that is invoked to query header location and linking information about the libnet library. libnet is usually linked statically, so there's no point in setting LD_LIBRARY_PATH either, you can check which one syslog-ng is using by using "ldd" and/or checking if you have a libnet.a file (static), or libnet.so file (dynamic), or both. If you have both, the linking parameters determine which one is used by syslog-ng, in this case ldd should tell you the truth. To analyze the truss path, you should look for the pattern of the message that should be sent out with a spoofed source address, and then you should see system calls like recvmsg() when the message is received and either send() or write() when it is sent. libnet uses raw sockets to send messages, syslog-ng is probably opening AF_INET, SOCK_RAW sockets in that case. Although Solaris uses socket emulation and thus the actual system calls you see in the truss output might not be the same as in Linux, this is pretty straightforward. By the way, it might be easier to analyze the truss output if you are running a syslog-ng instance which does not actually deliver a lot of messages, but only a single one, this way the truss output will not be so large. -- Bazsi