1
response

Hi All,

I wonder if someone can answer this for me.

According to the documentation, it states that for a UDP client, the localport will be a random high port as per https://nxlog.co/documentation/nxlog-user-guide/om_udp.html

I have a situation where I am sending Zeek logs via UDP through a Google Seesaw load balancer see https://github.com/google/seesaw

The issue I am facing is that each separate log packet / connection from NXLog has the same client source port i.e 41460 in my case.

Tcpdump confirms this

Packet 1
15:55:10.533740 IP (tos 0x0, ttl 64, id 57228, offset 0, flags [DF], proto UDP (17), length 506) 172.16.4.10.41640 > 172.16.4.166.12210: [udp sum ok] UDP, length 478

Packet 2
15:55:10.534026 IP (tos 0x0, ttl 64, id 57229, offset 0, flags [DF], proto UDP (17), length 847)172.16.4.10.41640 > 172.16.4.166.12210: [udp sum ok] UDP, length 819

Is there a way to get NXLog to use a random client port for each connection?

It looks as if it chooses a random high port when the service is started.

Cheers

Cyberkryption

AskedAugust 18, 2020 - 6:08pm

Answer (1)

The random high ports are called ephemeral ports. Unfortunately the port number is assigned by the network stack of the OS when the socket/connection is created. Based on your requirements om_udp would need to close the socket and allocate a new one for each event record which would be quite inefficient. The only way I see this could work is via spoofing the address and port. The address spoofing is already implemented in the om_udpspoof module which is an NXLog EE feature, however it doesn't yet support spoofing the port number, though it wouldn't be hard to implement this.