?
Solved

Perl: Sys::Syslog - replace hostname

Posted on 2009-07-11
5
Medium Priority
?
919 Views
Last Modified: 2012-05-07
I'm trying to write a syslog replayer and was wondering if there's a way to replace the originating hostname so that it logs that to syslog instead of my local machine's hostname.

For example, the logit sub below logs:
 ./logreplay.pl[8816]: Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm ACC-FNET-AE\'  

The original message is:
Jun 19 05:11:57 ecdcsrvr2-6.some.domain 5476: Jun 19 05:11:56: %CSM_SLB-6-RSERVERSTATE: Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm 'ACC-FNET-AE'

So I want  it to log the originating host as " ecdcsrvr2-6.some.domain"
sub logit {
    my ($priority, $message) = @_;
    setlogsock('unix');
    # $prog is assumed to be a global.  Also log the PID
    # and to CONSole if there's a problem.  Use facility 'user'.
    openlog($0, 'pid,cons', 'user');
    syslog($priority, $message);
    closelog();
    return 1;
}

Open in new window

0
Comment
Question by:cdukes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 25

Expert Comment

by:clockwatcher
ID: 24833051
The first parameter to the openlog call is $ident and gets prepended to the log.  You're passing it $0 which is the name of the running script.  Try changing your openlog call to:

  openlog(" ecdcsrvr2-6.some.domain", 'pid,cons', 'user');

And see if it gets you what you're after.
0
 

Author Comment

by:cdukes
ID: 24833183
I tried it and, unfortunately, that just logs it to the PROGRAM field in syslog...

e.g.:
Jul 11 23:43:47 cdukes-lnx ecdcsrvr2-6.some.domain[8506]: %CSM_SLB-6-RSERVERSTATE:  Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm 'ACC-FNET-AE'
0
 
LVL 25

Accepted Solution

by:
clockwatcher earned 2000 total points
ID: 24846236
Pretty sure the syslogd daemon does a hostname look up which means you'd have to spoof your source IP.   If your remote syslog'ing is done over UDP, spoofing the source IP isn't that difficult.  There's an example (specific to syslog) in C here:  http://insecure.org/sploits/aix.generic.syslogd.problem.html.  You could modify it and call it from your perl program.  

If you want to keep it in perl, a generic example of UDP source IP spoofing is here:  http://perl-code.blogspot.com/2008/04/coke-spoofing-udp-flooder.html.  It would have to be modified to actually send a properly formatted syslog entry-- which based on the C example appears to be your syslog flags in brackets followed by the message (sprintf("<%d>%s"., flags, message)).  The RFC spec for exact details is here: http://tools.ietf.org/html/rfc3164.

Anyway... without hacking the syslogd source, pretty sure source IP spoofing is going to be your only option.
0
 

Author Comment

by:cdukes
ID: 24878432
Looks like the C code will work, thanks!
0
 

Author Closing Comment

by:cdukes
ID: 31602475
u rock, thanks!
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many time we need to work with multiple files all together. If its windows system then we can use some GUI based editor to accomplish our task. But what if you are on putty or have only CLI(Command Line Interface) as an option to  edit your files. I…
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question