Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Perl: Sys::Syslog - replace hostname

Posted on 2009-07-11
5
Medium Priority
?
932 Views
Last Modified: 2012-05-07
I'm trying to write a syslog replayer and was wondering if there's a way to replace the originating hostname so that it logs that to syslog instead of my local machine's hostname.

For example, the logit sub below logs:
 ./logreplay.pl[8816]: Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm ACC-FNET-AE\'  

The original message is:
Jun 19 05:11:57 ecdcsrvr2-6.some.domain 5476: Jun 19 05:11:56: %CSM_SLB-6-RSERVERSTATE: Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm 'ACC-FNET-AE'

So I want  it to log the originating host as " ecdcsrvr2-6.some.domain"
sub logit {
    my ($priority, $message) = @_;
    setlogsock('unix');
    # $prog is assumed to be a global.  Also log the PID
    # and to CONSole if there's a problem.  Use facility 'user'.
    openlog($0, 'pid,cons', 'user');
    syslog($priority, $message);
    closelog();
    return 1;
}

Open in new window

0
Comment
Question by:cdukes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 25

Expert Comment

by:clockwatcher
ID: 24833051
The first parameter to the openlog call is $ident and gets prepended to the log.  You're passing it $0 which is the name of the running script.  Try changing your openlog call to:

  openlog(" ecdcsrvr2-6.some.domain", 'pid,cons', 'user');

And see if it gets you what you're after.
0
 

Author Comment

by:cdukes
ID: 24833183
I tried it and, unfortunately, that just logs it to the PROGRAM field in syslog...

e.g.:
Jul 11 23:43:47 cdukes-lnx ecdcsrvr2-6.some.domain[8506]: %CSM_SLB-6-RSERVERSTATE:  Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm 'ACC-FNET-AE'
0
 
LVL 25

Accepted Solution

by:
clockwatcher earned 2000 total points
ID: 24846236
Pretty sure the syslogd daemon does a hostname look up which means you'd have to spoof your source IP.   If your remote syslog'ing is done over UDP, spoofing the source IP isn't that difficult.  There's an example (specific to syslog) in C here:  http://insecure.org/sploits/aix.generic.syslogd.problem.html.  You could modify it and call it from your perl program.  

If you want to keep it in perl, a generic example of UDP source IP spoofing is here:  http://perl-code.blogspot.com/2008/04/coke-spoofing-udp-flooder.html.  It would have to be modified to actually send a properly formatted syslog entry-- which based on the C example appears to be your syslog flags in brackets followed by the message (sprintf("<%d>%s"., flags, message)).  The RFC spec for exact details is here: http://tools.ietf.org/html/rfc3164.

Anyway... without hacking the syslogd source, pretty sure source IP spoofing is going to be your only option.
0
 

Author Comment

by:cdukes
ID: 24878432
Looks like the C code will work, thanks!
0
 

Author Closing Comment

by:cdukes
ID: 31602475
u rock, thanks!
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the distant past (last year) I hacked together a little toy that would allow a couple of Manager types to query, preview, and extract data from a number of MongoDB instances, to their tool of choice: Excel (http://dilbert.com/strips/comic/2007-08…
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question