UDP with IP Spoofing (om_udpspoof)
This module sends log messages as UDP datagrams to the address and port specified and allows the source address in the UDP packet to be spoofed in order to make the packets appear as if they were sent from another host. This is particularly useful in situations where log data needs to be forwarded to another server and the server uses the client address to identify the data source. With IP spoofing the UDP packets will contain the IP address of the originating client that produced the message instead of the forwarding server.
This module is very similar to the om_udp module and can be used as a drop-in replacement. The SpoofAddress configuration directive can be used to set the address if necessary. The UDP datagram will be sent with the local IP address if the IP address to be spoofed is invalid. The source port in the UDP datagram will be set to the port number of the local connection (the port number is not spoofed).
The network input modules (im_udp, im_tcp, and im_ssl) all set the $MessageSourceAddress
field, and this value will be used when sending the UDP datagrams (unless SpoofAddress is explicitly set to something else).
This allows logs to be collected over reliable and secure transports (like SSL), while the om_udpspoof module is only used for forwarding to the destination server that requires spoofed UDP input.
Configuration
The om_udpspoof module accepts the following directives in addition to the common module directives. The Host directive is required.
- Host
-
The module sends UDP datagrams to the IP address or hostname defined in this directive. If additional hosts are specified on new lines, the module works in a failover configuration. If a destination becomes unavailable, the module automatically fails over to the next one. If the last destination becomes unavailable, the module fails over to the first destination.
The port number can be defined by appending it at the end of the hostname or IP address using a colon as a separator (
host:port
). For each destination with no port number defined here, the port number specified in the Port directive is used. Port numbers defined here take precedence over any port number defined in the Port directive. The default port is 514.
- Port
-
The module sends UDP packets to this port. The default port is 514 if this directive is not specified.
The Port directive will become deprecated from NXLog EE 6.0. After that, the port can only be defined in the Host directive. |
- LocalPort
-
This optional directive specifies the local port number of the connection. If this is not specified, a random high port number will be used, which is not always ideal in firewalled network environments.
Due to the required |
- MTU
-
This directive can be used to specify the maximum transfer size of the IP data fragments. If this value exceeds the MTU size of the sending interface, an error may occur and the packet be dropped. The default MTU value is
1500
.
- OutputType
-
See the OutputType directive in the list of common module directives. If this directive is not specified, the default is Dgram.
- Reconnect
-
This optional directive sets the reconnect interval in seconds. If it is set, the module attempts to reconnect in every defined second. If it is not set, the reconnect interval will start at 1 second and doubles with every attempt. If the duration of the successful connection is greater than the current reconnect interval, then the reconnect interval will be reset to 1 sec.
The Reconnect directive must be used with caution. If it is used on multiple systems, it can send reconnect requests simultaneously to the same destination, potentially overloading the destination system. It may also cause NXLog to use unusually high system resources or cause NXLog to become unresponsive. |
- SockBufSize
-
This optional directive sets the socket buffer size (SO_SNDBUF) to the value specified. If this is not set, the operating system default is used.
- SpoofAddress
-
This directive is optional. The IP address rewrite takes place depending on how this directive is specified.
- Directive not specified
-
The IP address stored in the
$MessageSourceAddress
field is used so the module should work automatically when the SpoofAddress directive is not specified. - Constant literal value
-
The literal value may be a string or an ipaddr type. For example,
SpoofAddress '10.0.0.42'
andSpoofAddress 10.0.0.42
are equivalent. - Expression
-
The expression specified here will be evaluated for each message to be sent. Normally this can be a field name, but anything is accepted which evaluates to a string or an ipaddr type. For example,
SpoofAddress $MessageSourceAddress
has the same effect as when SpoofAddress is not set.
Procedures
The following procedures are exported by om_udpspoof.
reconnect();
-
Force a reconnection. This can be used from a Schedule block to periodically reconnect to the server.
The reconnect() procedure must be used with caution. If configured, it can attempt to reconnect after every event sent, potentially overloading the destination system.
Examples
Old syntax examples are included, they will become invalid with NXLog EE 6.0.
The im_tcp module will accept log messages via TCP and will set the $MessageSourceAddress
field for each event.
This value will be used by om_udpspoof to set the UDP source address when sending the data to logserver via UDP.
<Input tcp>
Module im_tcp
ListenAddr 0.0.0.0:1514
</Input>
<Output udpspoof>
Module om_udpspoof
Host logserver.example.com:1514
</Output>
# Using the syntax used before NXLog EE 5,
# where the port is defined in a separate directive.
#<Output udpspoof>
# Module om_udpspoof
# Host logserver.example.com
# Port 1514
#</Output>
<Route tcp_to_udpspoof>
Path tcp => udpspoof
</Route>
This configuration accepts log messages via TCP and UDP, and also reads messages from a file.
Both im_tcp and im_udp set the $MessageSourceAddress
field for incoming messages, and in both cases this is used to set $sourceaddr
.
The im_file module instance is configured to set the $sourceaddr
field to 10.1.2.3
for all log messages.
Finally, the om_udpspoof output module instance is configured to read the value of the $sourceaddr
field for spoofing the UDP source address.
<Input tcp>
Module im_tcp
ListenAddr 0.0.0.0:1514
Exec $sourceaddr = $MessageSourceAddress;
</Input>
<Input udp>
Module im_udp
ListenAddr 0.0.0.0:1514
Exec $sourceaddr = $MessageSourceAddress;
</Input>
<Input file>
Module im_file
File '/var/log/myapp.log'
Exec $sourceaddr = 10.1.2.3;
</Input>
<Output udpspoof>
Module om_udpspoof
Host 10.0.0.1:1514
SpoofAddress $sourceaddr
</Output>
# Using the syntax prior to NXLog EE 5,
# where the port is defined in a separate directive.
#<Input tcp>
# Module im_tcp
# Host 0.0.0.0
# Post 1514
# Exec $sourceaddr = $MessageSourceAddress;
#</Input>
#
#<Input udp>
# Module im_udp
# Host 0.0.0.0
# Post 1514
# Exec $sourceaddr = $MessageSourceAddress;
#</Input>
#
#<Input file>
# Module im_file
# File '/var/log/myapp.log'
# Exec $sourceaddr = 10.1.2.3;
#</Input>
#
#<Output udpspoof>
# Module om_udpspoof
# SpoofAddress $sourceaddr
# Host 10.0.0.1
# Port 1514
#</Output>
<Route all_to_file>
Path tcp, udp, file => udpspoof
</Route>