Solved

Perl: Sys::Syslog - replace hostname

Posted on 2009-07-11
5
894 Views
Last Modified: 2012-05-07
I'm trying to write a syslog replayer and was wondering if there's a way to replace the originating hostname so that it logs that to syslog instead of my local machine's hostname.

For example, the logit sub below logs:
 ./logreplay.pl[8816]: Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm ACC-FNET-AE\'  

The original message is:
Jun 19 05:11:57 ecdcsrvr2-6.some.domain 5476: Jun 19 05:11:56: %CSM_SLB-6-RSERVERSTATE: Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm 'ACC-FNET-AE'

So I want  it to log the originating host as " ecdcsrvr2-6.some.domain"
sub logit {
    my ($priority, $message) = @_;
    setlogsock('unix');
    # $prog is assumed to be a global.  Also log the PID
    # and to CONSole if there's a problem.  Use facility 'user'.
    openlog($0, 'pid,cons', 'user');
    syslog($priority, $message);
    closelog();
    return 1;
}

Open in new window

0
Comment
Question by:cdukes
  • 3
  • 2
5 Comments
 
LVL 25

Expert Comment

by:clockwatcher
ID: 24833051
The first parameter to the openlog call is $ident and gets prepended to the log.  You're passing it $0 which is the name of the running script.  Try changing your openlog call to:

  openlog(" ecdcsrvr2-6.some.domain", 'pid,cons', 'user');

And see if it gets you what you're after.
0
 

Author Comment

by:cdukes
ID: 24833183
I tried it and, unfortunately, that just logs it to the PROGRAM field in syslog...

e.g.:
Jul 11 23:43:47 cdukes-lnx ecdcsrvr2-6.some.domain[8506]: %CSM_SLB-6-RSERVERSTATE:  Module 9 server state changed: SLB-NETMGT: TCP health probe re-activated server 10.13.164.13:0 in serverfarm 'ACC-FNET-AE'
0
 
LVL 25

Accepted Solution

by:
clockwatcher earned 500 total points
ID: 24846236
Pretty sure the syslogd daemon does a hostname look up which means you'd have to spoof your source IP.   If your remote syslog'ing is done over UDP, spoofing the source IP isn't that difficult.  There's an example (specific to syslog) in C here:  http://insecure.org/sploits/aix.generic.syslogd.problem.html.  You could modify it and call it from your perl program.  

If you want to keep it in perl, a generic example of UDP source IP spoofing is here:  http://perl-code.blogspot.com/2008/04/coke-spoofing-udp-flooder.html.  It would have to be modified to actually send a properly formatted syslog entry-- which based on the C example appears to be your syslog flags in brackets followed by the message (sprintf("<%d>%s"., flags, message)).  The RFC spec for exact details is here: http://tools.ietf.org/html/rfc3164.

Anyway... without hacking the syslogd source, pretty sure source IP spoofing is going to be your only option.
0
 

Author Comment

by:cdukes
ID: 24878432
Looks like the C code will work, thanks!
0
 

Author Closing Comment

by:cdukes
ID: 31602475
u rock, thanks!
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A year or so back I was asked to have a play with MongoDB; within half an hour I had downloaded (http://www.mongodb.org/downloads),  installed and started the daemon, and had a console window open. After an hour or two of playing at the command …
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question