This module sends log messages as UDP datagrams to the address and port specified and allows the source address in the UDP packet to be spoofed in order to make the packets appear as if they were sent from another host. This is particularly useful in situations where log data needs to be forwarded to another server and the server uses the client address to identify the data source. With IP spoofing the UDP packets will contain the IP address of the originating client that produced the message instead of the forwarding server.
This module is very similar to the om_udp module and can be used as a drop-in replacement. The SpoofAddress configuration directive can be used to set the address if necessary. The UDP datagram will be sent with the local IP address if the IP address to be spoofed is invalid. The source port in the UDP datagram will be set to the port number of the local connection (the port number is not spoofed).
The network input modules (im_udp, im_tcp, and
im_ssl) all set the
$MessageSourceAddress field, and this
value will be used when sending the UDP datagrams (unless
SpoofAddress is explicitly set to
something else). This allows logs to be collected over reliable and
secure transports (like SSL), while the om_udpspoof module is only
used for forwarding to the destination server that requires spoofed
The module will send UDP datagrams to this IP address or DNS hostname.
The module will send UDP packets to this port. The default port is 514 if this directive is not specified.
This optional directive specifies the local port number of the connection. If this is not specified a random high port number will be used which is not always ideal in firewalled network environments.
This directive can be used to specify the maximum transfer size of the IP data fragments. If this value exceeds the MTU size of the sending interface, an error may occur and the packet be dropped. The default MTU value is
This optional directive sets the socket buffer size (SO_SNDBUF) to the value specified. If this is not set, the operating system default is used.
This directive is optional. The IP address rewrite takes place depending on how this directive is specified.
- Directive not specified
The IP address stored in the
$MessageSourceAddressfield is used so the module should work automatically when the SpoofAddress directive is not specified.
- Constant literal value
The expression specified here will be evaluated for each message to be sent. Normally this can be a field name, but anything is accepted which evaluates to a string or an ip4addr type. For example,
SpoofAddress $MessageSourceAddresshas the same effect as when SpoofAddress is not set.
The im_tcp module will accept log messages via TCP and will set the
$MessageSourceAddress field for each event. This value will be used
by om_udpspoof to set the UDP source address when sending the data to
logserver via UDP.
This configuration accepts log messages via TCP and UDP, and also
reads messages from a file. Both im_tcp and
im_udp set the
$MessageSourceAddress field for incoming
messages, and in both cases this is used to set
im_file module instance is configured to set the
$sourceaddr field to
10.1.2.3 for all log messages. Finally, the
om_udpspoof output module instance is configured to read the value of
$sourceaddr field for spoofing the UDP source address.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 <Input tcp> Module im_tcp Host 0.0.0.0 Port 1514 Exec $sourceaddr = $MessageSourceAddress; </Input> <Input udp> Module im_udp Host 0.0.0.0 Port 1514 Exec $sourceaddr = $MessageSourceAddress; </Input> <Input file> Module im_file File '/var/log/myapp.log' Exec $sourceaddr = 10.1.2.3; </Input> <Output udpspoof> Module om_udpspoof SpoofAddress $sourceaddr Host 10.0.0.1 Port 1514 </Output> <Route all_to_file> Path tcp, udp, file => udpspoof </Route>