That's exactly the problem. I cannot keep a hostname that was never written in the first place.<br>The DELL server administrator doesn't send it. As per my email below it sends this :<br><br>Aug 16 21:47:22 Server Administrator: Storage Service EventID: 2242> The Patrol Read has started.: Controller 0 (PERC 5/i Integrated)<br>
<br>So If I do a "keep_hostname" syslog-ng assumes that the server is called "Server" which is of course wrong.<br><br><div class="gmail_quote">On Thu, Sep 2, 2010 at 8:21 AM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div><div></div><div class="h5">On Tue, 2010-08-17 at 18:26 -0700, stucky wrote:<br>
> Guys<br>
><br>
> I'm trying to log to a loadbalanced VIP. It seems to work ok except<br>
> that the loadbalancer uses SNAT so I loose my source IP.<br>
> This means I cannot use dns or even the source ip to get the source<br>
> host as all logs appear to come from the same source (the<br>
> loadbalancer).<br>
> This means I have no choice but to rely on the hostname field which<br>
> works about 98% of the time but some stuff like Dell OpenManage skips<br>
> the hostname field.<br>
> So I'd get logs like this on host "cage" f.e.<br>
><br>
> Aug 16 21:47:22 Server Administrator: Storage Service EventID: 2242<br>
> The Patrol Read has started.: Controller 0 (PERC 5/i Integrated)<br>
><br>
> I fixed that by telling the syslog-ng client to force itself to figure<br>
> out a proper hostname and now the log looks like this<br>
><br>
> Aug 17 13:51:10 cage Administrator[]: Instrumentation Service EventID:<br>
> 1000 Server Administrator starting<br>
><br>
> I thought syslog-ng inserts the hostname but by the looks of it it<br>
> simply replaces whatever is in the expected field with the hostname it<br>
> has just figured out.<br>
> As you can see it overwrote the entry "Server".<br>
> No biggie in the above case but what if this field contained valuable<br>
> information ? I'd loose that.<br>
> Any way to squeeze in the hostname so to speak ?<br>
<br>
</div></div>what about keep_hostname(yes) ?<br>
<div><div></div><div class="h5"><br>
<br>
--<br>
Bazsi<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>stucky<br>