UDP with IP Spoofing (om_udpspoof)

This module sends log messages as UDP datagrams to the address and port specified and allows the source address in the UDP packet to be spoofed to make the packets appear as if they were sent from another host. This is particularly useful in situations where log data needs to be forwarded to another server and the server uses the client address to identify the data source. With IP spoofing the UDP packets will contain the IP address of the originating client that produced the message instead of the forwarding server.

This module is very similar to the om_udp module and can be used as a drop-in replacement. The SpoofAddress configuration directive can be used to set the address if necessary. The UDP datagram will be sent with the local IP address if the IP address to be spoofed is invalid. The source port in the UDP datagram will be set to the port number of the local connection (the port number is not spoofed).

The network input modules (im_udp, im_tcp, and im_ssl) all set the $MessageSourceAddress field, and this value will be used when sending the UDP datagrams (unless SpoofAddress is explicitly set to something else). This allows logs to be collected over reliable and secure transports (like SSL), while the om_udpspoof module is only used for forwarding to the destination server that requires spoofed UDP input.

Configuration

The om_udpspoof module accepts the following directives in addition to the common module directives. The Host directive is required.

Required directives

The following directives are required for the module to start.

Host

The module connects to this IP address or hostname. If using a hostname, the module resolves the hostname to an IP address on each new connection.

You can define the port number by appending it to the IP address or hostname using a colon as a separator (host:port). The default port is 514.

IPv6 addresses must be enclosed in square brackets ([addr]:port). For example, [2001:0db8:85a3:0:0:8a2e:0370:7334]:514.

You can define this directive multiple times to connect to multiple hosts or ports in failover mode. Specify IPv4 and IPv6 addresses separately as needed. If you use a DNS name, you should keep the addresses or CNAMEs below 16 to avoid issues caused by DNS response size limits.

If the module is configured with multiple Host directives or a resolver, such as DNS, returns multiple addresses, the module will connect to the first reachable address. The module will remain connected to that address until it is stopped or the connection is severed. DNS changes are therefore not picked up by the module without intervention.

If the connection to an address fails, the module will attempt to connect to the next address until it reaches the end of the set of addresses for the same Host directive. Then, it performs a lookup on the next Host directive, if configured. Once all options are exhausted, the module will start over from the first address of the first Host directive until the connection can be re-established.

Optional directives

LocalPort

This optional directive specifies the local port number of the connection. If this is not specified, a random high port number will be used, which is not always ideal in firewalled network environments.

Due to the required TIME-WAIT delay in closing connections, attempts to bind to LocalPort may fail. In such cases, the message Address already in use will be written to nxlog.log. If the situation persists, it could impede network performance.

MTU

This directive can be used to specify the maximum transfer size of the IP data fragments. If this value exceeds the MTU size of the sending interface, an error may occur and the packet be dropped. The default MTU value is 1500.

OutputType

See the OutputType directive in the list of common module directives. If this directive is not specified, the default is Dgram.

Reconnect

This optional directive sets the reconnect interval in seconds. If it is set, the module attempts to reconnect in every defined second. If it is not set, the reconnect interval will start at 1 second and double with every attempt. In the latter case, when the system decides that the reconnection is successful, the reconnect interval is immediately reset to 1 sec.

The Reconnect directive must be used with caution. If it is used on multiple systems, it can send reconnect requests simultaneously to the same destination, potentially overloading the destination system. It may also cause NXLog Agent to use unusually high system resources or cause NXLog Agent to become unresponsive.

ReconnectOnData

This optional directive defines the behavior when the connection with the remote host is lost. When set to TRUE, the module only attempts to reconnect when it has data to send. The default value is FALSE; it will always keep a connection open with the remote host.

SockBufSize

This optional directive sets the socket buffer size (SO_SNDBUF) to the value specified. If this is not set, the operating system default is used.

SpoofAddress

The module rewrites the IP address depending on the value of this directive:

Directive not specified: The value of the $MessageSourceAddress field is used as the SpoofAddress.
Constant literal value: The value can be a string or ipaddr type. For example, SpoofAddress '10.0.0.42' or SpoofAddress 10.0.0.42.
Expression: The expression specified will be evaluated for each message to be sent. The expression can be a field name or any other value that evaluates to a string or ipaddr type. For example, SpoofAddress $MessageSourceAddress.

On Windows 7, Vista, and XP (SP2/SP3), UDP datagrams cannot be sent with a non-existing source address. See the Microsoft documentation on Limitations on Raw Sockets for details.

Procedures

The following procedures are exported by om_udpspoof.

reconnect();

Force a reconnection. This can be used from a Schedule block to periodically reconnect to the server.

The reconnect() procedure must be used with caution. If configured, it can attempt to reconnect after every event sent, potentially overloading the destination system.

Examples

Example 1. Log forwarding with IP address spoofing

The im_tcp module will accept log messages via TCP and will set the $MessageSourceAddress field for each event. This value will be used by om_udpspoof to set the UDP source address when sending the data to logserver via UDP.

nxlog.conf

<Input tcp>
    Module      im_tcp
    ListenAddr  0.0.0.0:1514
</Input>

<Output udpspoof>
    Module      om_udpspoof
    Host        logserver.example.com:1514
</Output>

<Route tcp_to_udpspoof>
    Path        tcp => udpspoof
</Route>

Example 2. Log forwarding with a spoofed IP address from multiple sources

This configuration accepts log messages via TCP and UDP and also reads logs from a file. Both im_tcp and im_udp set the $MessageSourceAddress field for incoming messages, and in both cases this is used to set $sourceaddr. The im_file module instance is configured to set the $sourceaddr field to 10.1.2.3 for all log messages. Finally, the om_udpspoof output module instance is configured to read the value of the $sourceaddr field for spoofing the UDP source address.

nxlog.conf

<Input tcp>
    Module          im_tcp
    ListenAddr      0.0.0.0:1514
    Exec            $sourceaddr = $MessageSourceAddress;
</Input>

<Input udp>
    Module          im_udp
    ListenAddr      0.0.0.0:1514
    Exec            $sourceaddr = $MessageSourceAddress;
</Input>

<Input file>
    Module          im_file
    File            '/var/log/myapp.log'
    Exec            $sourceaddr = 10.1.2.3;
</Input>

<Output udpspoof>
    Module          om_udpspoof
    Host            10.0.0.1:1514
    SpoofAddress    $sourceaddr
</Output>

<Route all_to_file>
    Path            tcp, udp, file => udpspoof
</Route>