[syslog-ng] mystique with spoof_address

[Edvinas Kairys]

  Hello, i installed (yum install) following version on Centos 7 box.

syslog-ng 3.5.6
Installer-Version: 3.5.6
Revision:
Compile-Date: Dec 30 2015 19:57:24
Available-Modules:
affile,afprog,afsocket-notls,afsocket-tls,afsocket,afstomp,afuser,basicfuncs,confgen,cryptofuncs,csvparser,dbparser,linux-kmsg-format,syslogformat,system-source
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Pcre: on

My goal is to forward syslog messages 'untouched' but to change the source
address to original one. For that case i'm using spoof-address.

My conf is like this:

options {
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    chain_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (no);
    mark-freq (0);
};
source s_network {
     udp(ip(0.0.0.0) port(514) flags(no-parse));

};
destination d_syslog_tcp { network("10.13.33.125" transport("udp")
port(5140) spoof-source(yes)); };
log { source(s_network); destination(d_syslog_tcp); };
log { source(s_network); filter(f_default); destination(d_mesg); };
# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"

Strange thing, that when I enable spoof-source, some packets are not
transmitted to the destination. Even TCPDUMP says that it's sent, but i
dont see some logs on destination box.
Could it be something with spoof_source command ? Also i didn't compiled it
because i saw that SPOOF functionality is on in syslog-ng -V output.

Any suggestions ?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200408/83fb208e/attachment.html>