Fwd: [syslog-ng] spoof_source not working

[Chance Ellis]

 Ok,
 I have tried everything you have given men and I am still coming up with
nothing... Here is the output of my ldd:
ldd /usr/local/sbin/syslog-ng
libpthread.so.1 => /usr/lib/libpthread.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libdoor.so.1 => /usr/lib/libdoor.so.1
libresolv.so.2 => /usr/lib/libresolv.so.2
libxnet.so.1 => /usr/lib/libxnet.so.1
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libmp.so.2 => /usr/lib/libmp.so.2
libthread.so.1 => /usr/lib/libthread.so.1
/usr/platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1
  Notice libxnet. Should I be using it? Can it be causing the problem? How
do I tell syslog-ng at compile time to use libnet.a or libnet.so?
 On 10/14/05, Nate Campi <nate at campin.net> wrote:
>
> Ellis,
>
> I didn't mention in my email to you that you'll want the libnet.so file
> in /tmp/foo - but first make sure you're dynamically liked using the ldd
> command:
>
> -0-[root at duo:masterfiles]# ldd /sbin/syslog-ng
> libnsl.so.1 => /lib/libnsl.so.1 (0x40028000)
> libresolv.so.2 => /lib/libresolv.so.2 (0x4003c000)
> libc.so.6 => /lib/libc.so.6 (0x4004e000)
> /lib/ld-linux.so.2 (0x40000000)
>
> You should see libnet.so in there somewhere if you're dynamically
> linked. If you're statically linked then you have to narrow it down with
> truss as Bazsi has said.
>
> Good luck,
> Nate
>
> On Fri, Oct 14, 2005 at 05:35:13PM +0200, Balazs Scheidler wrote:
> > On Thu, 2005-10-13 at 15:57 -0400, Chance Ellis wrote:
> > > Ok,
> > >
> > > I copied the the Solaris 8 libnet-config file to the /tmp/foo folder
> > > on Solaris 9. I then ran:
> > >
> > > LD_LIBRARY_PATH=/tmp/foo:$LD_LIBRARY_PATH
> > > truss /usr/local/sbin/syslog-ng -f /usr/local/etc/syslog-ng.conf -F &
> > >
> > >
> > > I get the same result... Whenever I apply the spoof_source(yes) to the
> > > config I do not get any messages forwarded to the destination. If I
> > > remove the spoof_source(yes) messages flow but with the source IP
> > > address from the syslog-ng server...
> > >
> > > The truss output is quite huge! Is there any piece of the truss output
> > > that would help me to troubleshoot this? Is libnet-config the only
> > > thing I need or do I need something in addition to libnet-config?
> >
> > libnet-config is not used at all while running syslog-ng, it is a
> > build-time script that is invoked to query header location and linking
> > information about the libnet library.
> >
> > libnet is usually linked statically, so there's no point in setting
> > LD_LIBRARY_PATH either, you can check which one syslog-ng is using by
> > using "ldd" and/or checking if you have a libnet.a file (static), or
> > libnet.so file (dynamic), or both. If you have both, the linking
> > parameters determine which one is used by syslog-ng, in this case ldd
> > should tell you the truth.
> >
> > To analyze the truss path, you should look for the pattern of the
> > message that should be sent out with a spoofed source address, and then
> > you should see system calls like recvmsg() when the message is received
> > and either send() or write() when it is sent. libnet uses raw sockets to
> > send messages, syslog-ng is probably opening AF_INET, SOCK_RAW sockets
> > in that case.
> >
> > Although Solaris uses socket emulation and thus the actual system calls
> > you see in the truss output might not be the same as in Linux, this is
> > pretty straightforward. By the way, it might be easier to analyze the
> > truss output if you are running a syslog-ng instance which does not
> > actually deliver a lot of messages, but only a single one, this way the
> > truss output will not be so large.
>
> --
> Nate
>
> "Often, when I am reading a good book, I stop and thank my teacher. That
> is, I used to, until she got an unlisted number." - Unknown 15-year-old
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20051017/d5cce6c9/attachment-0001.html