Syslog event generator with Net::RawIP (perl)

Recently I have been asked to write a Syslog event generator, but not just a normal syslog generator, it had to be able to generate events coming from different hosts.

The normal ‘logger’ command sends Syslog messages using the machine’s IP address, so logger wasn’t very useful. The only thing useful seem to be, to generate my own Syslog packets in which I spoof the source address. After writing this handy little script, I realized that I’ve actually created a monster. A very evil scary kinda looking mean monster! I will show an example for creating Syslog event generator (and later on one for creating SNMP events), but the code can be used for much more. Please keep in mind I post this code just for educational and debugging reasons. If you want to use it for other reasons… well that’s up to you! 🙂

The example shown overhere is a bit more worked out and put in an object oriented structure. It could have also been a simple quick and dirty script.

The module we will use is called Net::RawIP and it will allow us to create our TCP or UDP packets. We just need to figure out how packets should be created in order for the Syslog daemon to accept them.

At first I’ve created a class. This is the main base class, which creates the constructor and defines the class interface.

Secondly I’ll need an UDP base class, from which the Syslog module will inherit.

Having all the base classes in place, we can finally focus on creating our Syslog class, a module which will allow us to send Syslog messages, allowing us to change the source IP address.

Our OO structure is now ready, all we need is a script which will call all this code.

Running the script:

And that’s it! If we would check our receiving network interface (on IP address with tcpdump, we would see our packets arriving:


Syslog event generator with Net::RawIP (perl) — 10 Comments

  1. Hi Johnny

    wow, this is really cool. I know very little about perl and scripting, but I am faced with a problem whereby I am recieving a sh#tload of syslog messages from Cisco devices. They are all received by a CiscoWorks LMS server , they are then filtered and then forwarded to an another syslog collecting server. Thing is, that this collecting server “sees” all these messages coming from one device – which is the LMS server. I hope to use your script and modify this forwarding script so that it will show the original devices’ IP address.

  2. This is great stuff, however… when I attempt to run the script as presented above, I receive the following error:

    dev@ubuntu:~/Documents/syslog_generator$ ./ Odd number of elements in anonymous hash at line 59.Can't use string ("source") as an ARRAY ref while "strict refs" in use at /usr/local/lib/perl/5.14.2/Net/ line 564.

    I’ve tried turning off strict, but still couldn’t get it working.

    Line 59 in

    my(@udp_data) = $self->{rawip}->get({ udp => @udp_fields });

    Line 564 in

    map { ${$$hash{"$self->{proto}h"}}{$_} = '$' } @{$hash->{$self->{proto}}};

    Perl 5.14.2.

    Any ideas?



    PS – running all with elevated permissions, just in case you need root to access Raw IP.

  3. Yep \@udp_fields and \@ip_fields should be in

    However, what on earth is � in Without it, it doesnt send. With it you get \xEF\xBF on the end of the message?


  4. Actually, it does work it just seems to be acting as padding, a space does the same job without the strange hex codes.

  5. Hi Johnny,

    I want to change my source IP from where syslog packet is being send e.g. ip address of my machine is which is getting identified as ‘log source’ ip, instead of that I want as a source IP, how to do that, please help.


  6. I’m not quite clear of the filenames and directory structure that the 2nd & 3rd pieces of code should be saved in. Can you elaborate on that, or give more specifics?

    • goes under Packet, and in there have a directory UDP in which goes, and in there a directory called syslog in which you put Easiest thing to do is have /Packet in the same directory as your perl script unless you end up better packaging your code

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.