Solved

Perl: Sys::Syslog - replace hostname

Posted on 2009-07-11
5
906 Views
Last Modified: 2012-05-07
I'm trying to write a syslog replayer and was wondering if there's a way to replace the originating hostname so that it logs that to syslog instead of my local machine's hostname.

For example, the logit sub below logs:
 ./logreplay.pl[8816]: Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm ACC-FNET-AE\'  

The original message is:
Jun 19 05:11:57 ecdcsrvr2-6.some.domain 5476: Jun 19 05:11:56: %CSM_SLB-6-RSERVERSTATE: Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm 'ACC-FNET-AE'

So I want  it to log the originating host as " ecdcsrvr2-6.some.domain"
sub logit {
    my ($priority, $message) = @_;
    setlogsock('unix');
    # $prog is assumed to be a global.  Also log the PID
    # and to CONSole if there's a problem.  Use facility 'user'.
    openlog($0, 'pid,cons', 'user');
    syslog($priority, $message);
    closelog();
    return 1;
}

Open in new window

0
Comment
Question by:cdukes
  • 3
  • 2
5 Comments
 
LVL 25

Expert Comment

by:clockwatcher
ID: 24833051
The first parameter to the openlog call is $ident and gets prepended to the log.  You're passing it $0 which is the name of the running script.  Try changing your openlog call to:

  openlog(" ecdcsrvr2-6.some.domain", 'pid,cons', 'user');

And see if it gets you what you're after.
0
 

Author Comment

by:cdukes
ID: 24833183
I tried it and, unfortunately, that just logs it to the PROGRAM field in syslog...

e.g.:
Jul 11 23:43:47 cdukes-lnx ecdcsrvr2-6.some.domain[8506]: %CSM_SLB-6-RSERVERSTATE:  Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm 'ACC-FNET-AE'
0
 
LVL 25

Accepted Solution

by:
clockwatcher earned 500 total points
ID: 24846236
Pretty sure the syslogd daemon does a hostname look up which means you'd have to spoof your source IP.   If your remote syslog'ing is done over UDP, spoofing the source IP isn't that difficult.  There's an example (specific to syslog) in C here:  http://insecure.org/sploits/aix.generic.syslogd.problem.html.  You could modify it and call it from your perl program.  

If you want to keep it in perl, a generic example of UDP source IP spoofing is here:  http://perl-code.blogspot.com/2008/04/coke-spoofing-udp-flooder.html.  It would have to be modified to actually send a properly formatted syslog entry-- which based on the C example appears to be your syslog flags in brackets followed by the message (sprintf("<%d>%s"., flags, message)).  The RFC spec for exact details is here: http://tools.ietf.org/html/rfc3164.

Anyway... without hacking the syslogd source, pretty sure source IP spoofing is going to be your only option.
0
 

Author Comment

by:cdukes
ID: 24878432
Looks like the C code will work, thanks!
0
 

Author Closing Comment

by:cdukes
ID: 31602475
u rock, thanks!
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've just discovered very important differences between Windows an Unix formats in Perl,at least 5.xx.. MOST IMPORTANT: Use Unix file format while saving Your script. otherwise it will have ^M s or smth likely weird in the EOL, Then DO NOT use m…
In the distant past (last year) I hacked together a little toy that would allow a couple of Manager types to query, preview, and extract data from a number of MongoDB instances, to their tool of choice: Excel (http://dilbert.com/strips/comic/2007-08…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question