Get NXLog to use a random port for each connection
Hi All,
I wonder if someone can answer this for me.
According to the documentation, it states that for a UDP client, the localport will be a random high port as per https://nxlog.co/documentation/nxlog-user-guide/om_udp.html
I have a situation where I am sending Zeek logs via UDP through a Google Seesaw load balancer see https://github.com/google/seesaw
The issue I am facing is that each separate log packet / connection from NXLog has the same client source port i.e 41460 in my case.
Tcpdump confirms this
Packet 1 15:55:10.533740 IP (tos 0x0, ttl 64, id 57228, offset 0, flags [DF], proto UDP (17), length 506) 172.16.4.10.41640 > 172.16.4.166.12210: [udp sum ok] UDP, length 478
Packet 2 15:55:10.534026 IP (tos 0x0, ttl 64, id 57229, offset 0, flags [DF], proto UDP (17), length 847)172.16.4.10.41640 > 172.16.4.166.12210: [udp sum ok] UDP, length 819
Is there a way to get NXLog to use a random client port for each connection?
It looks as if it chooses a random high port when the service is started.
Cheers
Cyberkryption
The random high ports are called ephemeral ports. Unfortunately the port number is assigned by the network stack of the OS when the socket/connection is created. Based on your requirements om_udp would need to close the socket and allocate a new one for each event record which would be quite inefficient. The only way I see this could work is via spoofing the address and port. The address spoofing is already implemented in the om_udpspoof module which is an NXLog EE feature, however it doesn't yet support spoofing the port number, though it wouldn't be hard to implement this.
