[syslog-ng]Syslog forwarding

Hamilton, Andrew Andrew.Hamilton@afccc.af.mil
Wed, 30 Oct 2002 15:44:07 -0500 

Fernando,

I did the very same thing you are doing for several years.  syslog-ng =
is
perfect for that in that it will allow you to configure both ways.  It =
will
spoof the name or it will leave the name.  By setting various options =
you
can get a combination of the two even.  Look at keep_hostname(yes) this
tells syslog-ng to keep the hostname it got from the message, =
use_fqdn(yes),
fqdn is important if you have multiple domains with the same hostname =
in
different domains such as ns1.  Also chain_hostnames(no), syslog-ng =
will
chain the hostnames together if you don't turn this off.  For =
CiscoWorks you
want to turn this off.  Realize also that if you have a central loghost =
that
is different from the CiscoWorks machine you must also run syslog-ng on =
that
host as well.

Regards,

Drew=20

-----Original Message-----
From: Fernando Cardoso [mailto:fernando.cardoso@whatevernet.com]
Sent: Wednesday, October 30, 2002 3:32 PM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]Syslog forwarding


Hi all

I'm designing a solution where I need to forward syslog messages to 2
different servers (Cisco Works and a log correlation system). The =
messages
will be sent from Cisco routers and PIXes to a box running syslog-ng =
that
will forward the messages to the servers according to the facility and
levels defined on filters.

My question regards the origin of the messages as they will be seen by =
the
end servers. Since both Cisco Works and the log correlation engine rely =
on
the source IP to acknowledge and trigger alarms, will they see the =
syslog-ng
box IP or the original IP address of the routers and PIXes? In other =
words
will syslog-ng spoof the source IP addresses when forwarding the =
messages?

Thanks in advance

Fernando


_____________________________________________________________________
                      INTERNET MAIL FOOTER=20
A presente mensagem pode conter informa=E7=E3o considerada =
confidencial.
Se o receptor desta mensagem n=E3o for o destinat=E1rio indicado, fica
expressamente proibido de copiar ou endere=E7ar a mensagem a terceiros.
Em tal situa=E7=E3o, o receptor dever=E1 destruir a presente mensagem e =
por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------


_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html