[syslog-ng] Forwarding + Spoofing = Errors & Dropped Packets?

Balazs Scheidler bazsi at balabit.hu
Sun Jan 14 15:47:13 CET 2007


On Thu, 2007-01-11 at 10:24 -0600, Ivey, Chris wrote:
> Bazsi, 
>         Thanks for your help thus far.  After MUCH trial and error
> with enabling and disabling things in syslog-ng.conf, and watching
> "netstat -an" output after each attempt, I have narrowed this issue
> down to something to do with spoofing.  From my starting
> syslog-ng.conf file, if I do NOTHING but turn off spoofing, the Recv-Q
> buffer stops filling and all is happy.  If I turn on spoofing, those
> buffers start filling again.  I used tkdiff to compare my 2
> syslog-ng.conf files side-by-side, and the only differences between
> the 2 are the lines where the forward-to hosts are defined and where
> the destinations are defined (the bad server has lines commented, the
> good one does not).  Lsof on both machines for syslog-ng shows the
> same libraries opened and such.  So, the question now is what happens
> with spoofing that would cause all these issues?  What does spoofing
> do in the background that my server is unhappy about?  Any insight
> would be greatly appreciated!

As the server is "unhappy", it is probably some kind of spoof filtering,
e.g. the default route of the server points to a different interface,
and the server drops the packets because of this.

-- 
Bazsi



More information about the syslog-ng mailing list