I needed to capture syslog events going to a specific server and then to replay it later on a new server for testing purposes, the way I have achieved this is by use of Wireshark and tcpreplay.

Wireshark's command line interface would capture for 3 hours of syslog events coming on interface number 3 and place the captured data to a file name such as 28_03_2011_12_56. Because the capture command is in a loop, the end result is self rotating capture files.

@echo off
:TOP
set MY_DATE=%date:/=_%
set MY_HOUR="%time::=_%"
set FILE_NAME=%MY_DATE:~4%_%MY_HOUR:~1,5%

echo %FILE_NAME%

"c:\Wireshark\tshark.exe" -a duration:14400 -i 3 -f "udp port 514" -w "%FILE_NAME%"
REM PAUSE
GOTO TOP

What we can then do is re-write the layer 2 MAC address for a new destination server. This can be achieved with tcprewrite, example MAC address of aa:bb:cc:dd:11:22:

$ tcprewrite --enet-dmac=aa:bb:cc:dd:11:22 --infile=syslog_capture --outfile=syslog_rewrite

The pcap capture file will be updated and we'll need to now re-play it:

$ tcpreplay --pps=10 --intf1=xl0 syslog_rewrite
sending out xl0
processing file: syslog_rewrite

Actual: 1591 packets (407038 bytes) sent in 159.12 seconds
Rated: 2558.0 bps, 0.02 Mbps/sec, 10.00 pps

Statistics for network device: xl0
        Attempted packets:   1591
        Successful packets:  1591
        Failed packets:      0
        Retried packets:     0