Perl: Sys::Syslog - replace hostname

I'm trying to write a syslog replayer and was wondering if there's a way to replace the originating hostname so that it logs that to syslog instead of my local machine's hostname.

For example, the logit sub below logs:
 ./logreplay.pl[8816]: Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm ACC-FNET-AE\'  

The original message is:
Jun 19 05:11:57 ecdcsrvr2-6.some.domain 5476: Jun 19 05:11:56: %CSM_SLB-6-RSERVERSTATE: Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm 'ACC-FNET-AE'

So I want  it to log the originating host as " ecdcsrvr2-6.some.domain"
sub logit {
    my ($priority, $message) = @_;
    setlogsock('unix');
    # $prog is assumed to be a global.  Also log the PID
    # and to CONSole if there's a problem.  Use facility 'user'.
    openlog($0, 'pid,cons', 'user');
    syslog($priority, $message);
    closelog();
    return 1;
}

Open in new window

cdukesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

clockwatcherCommented:
The first parameter to the openlog call is $ident and gets prepended to the log.  You're passing it $0 which is the name of the running script.  Try changing your openlog call to:

  openlog(" ecdcsrvr2-6.some.domain", 'pid,cons', 'user');

And see if it gets you what you're after.
0
cdukesAuthor Commented:
I tried it and, unfortunately, that just logs it to the PROGRAM field in syslog...

e.g.:
Jul 11 23:43:47 cdukes-lnx ecdcsrvr2-6.some.domain[8506]: %CSM_SLB-6-RSERVERSTATE:  Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm 'ACC-FNET-AE'
0
clockwatcherCommented:
Pretty sure the syslogd daemon does a hostname look up which means you'd have to spoof your source IP.   If your remote syslog'ing is done over UDP, spoofing the source IP isn't that difficult.  There's an example (specific to syslog) in C here:  http://insecure.org/sploits/aix.generic.syslogd.problem.html.  You could modify it and call it from your perl program.  

If you want to keep it in perl, a generic example of UDP source IP spoofing is here:  http://perl-code.blogspot.com/2008/04/coke-spoofing-udp-flooder.html.  It would have to be modified to actually send a properly formatted syslog entry-- which based on the C example appears to be your syslog flags in brackets followed by the message (sprintf("<%d>%s"., flags, message)).  The RFC spec for exact details is here: http://tools.ietf.org/html/rfc3164.

Anyway... without hacking the syslogd source, pretty sure source IP spoofing is going to be your only option.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cdukesAuthor Commented:
Looks like the C code will work, thanks!
0
cdukesAuthor Commented:
u rock, thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Perl

From novice to tech pro — start learning today.