omudpspoof: UDP spoofing output module¶
| Module Name: | omudpspoof |
| Author: | David Lang <david@lang.hm> and Rainer Gerhards <rgerhards@adiscon.com> |
| Available Since: | 5.1.3 |
Purpose¶
This module is similar to the regular UDP forwarder, but permits to spoof the sender address. Also, it enables to circle through a number of source ports.
Configuration Parameters¶
Note
Parameter names are case-insensitive.
Module Parameters¶
Template¶
| type | default | mandatory | obsolete legacy directive |
|---|---|---|---|
| word | RSYSLOG_TraditionalForwardFormat | no | none |
This setting instructs omudpspoof to use a template different from the default template for all of its actions that do not have a template specified explicitely.
Action Parameters¶
Target¶
| type | default | mandatory | obsolete legacy directive |
|---|---|---|---|
| word | none | yes | $ActionOMUDPSpoofTargetHost |
Host that the messages shall be sent to.
Port¶
| type | default | mandatory | obsolete legacy directive |
|---|---|---|---|
| word | 514 | no | $ActionOMUDPSpoofTargetPort |
Remote port that the messages shall be sent to. Default is 514.
SourceTemplate¶
| type | default | mandatory | obsolete legacy directive |
|---|---|---|---|
| word | RSYSLOG_omudpspoofDfltSourceTpl | no | $ActionOMOMUDPSpoofSourceNameTemplate |
This is the name of the template that contains a numerical IP address that is to be used as the source system IP address. While it may often be a constant value, it can be generated as usual via the property replacer, as long as it is a valid IPv4 address. If not specified, the build-in default template RSYSLOG_omudpspoofDfltSourceTpl is used. This template is defined as follows: $template RSYSLOG_omudpspoofDfltSourceTpl,”%fromhost-ip%” So in essence, the default template spoofs the address of the system the message was received from. This is considered the most important use case.
SourcePort.start¶
| type | default | mandatory | obsolete legacy directive |
|---|---|---|---|
| integer | 32000 | no | $ActionOMUDPSpoofSourcePortStart |
Specify the start value for circling the source ports. Start must be less than or equal to sourcePort.End.
SourcePort.End¶
| type | default | mandatory | obsolete legacy directive |
|---|---|---|---|
| integer | 42000 | no | $ActionOMUDPSpoofSourcePortEnd |
Specify the end value for circling the source ports. End must be equal to or more than sourcePort.Start.
MTU¶
| type | default | mandatory | obsolete legacy directive |
|---|---|---|---|
| integer | 1500 | no | none |
Maximum packet length to send.
Template¶
| type | default | mandatory | obsolete legacy directive |
|---|---|---|---|
| word | RSYSLOG_TraditionalForwardFormat | no | $ActionOMUDPSpoofDefaultTemplate |
This setting instructs omudpspoof to use a template different from the default template for all of its actions that do not have a template specified explicitely.
Caveats/Known Bugs¶
- IPv6 is currently not supported. If you need this capability, please let us know via the rsyslog mailing list.
- Throughput is MUCH smaller than when using omfwd module.
Examples¶
Forwarding message through multiple ports¶
Forward the message to 192.168.1.1, using original source and port between 10000 and 19999.
Action (
type="omudpspoof"
target="192.168.1.1"
sourceport.start="10000"
sourceport.end="19999"
)
Forwarding message using another source address¶
Forward the message to 192.168.1.1, using source address 192.168.111.111 and default ports.
Module (
load="omudpspoof"
)
Template (
name="spoofaddr"
type="string"
string="192.168.111.111"
)
Action (
type="omudpspoof"
target="192.168.1.1"
sourcetemplate="spoofaddr"
)
See also
Help with configuring/using Rsyslog:
- Mailing list - best route for general questions
- GitHub: rsyslog source project - detailed questions, reporting issues
that are believed to be bugs with
Rsyslog - Stack Exchange (View, Ask) - experimental support from rsyslog community
See also
Contributing to Rsyslog:
- Source project: rsyslog project README.
- Documentation: rsyslog-doc project README