<div> </div><div>We're currently running loghosts/aggregators for each data center and two OS types. This works fine. We are now trying to forward all syslogs from our aggregators to another single aggregator (a security loghost, sec-loghost, which is proprietary). We are having a problem retaining hostname when forwarding from a loghost aggregator to ANOTHER loghost - but only from one OS type / syslog-ng install.</div>
<div> </div><div>We've been running syslog-ng for some time on RHEL (and previously SLES) and AIX, in a loghost configuration, with no issues. Our current architecture (example):</div><div> </div><div><div>data center 1:</div>
<blockquote style="margin-right:0px" dir="ltr"><div>rhelhostX -> rhel-loghost1</div><div>aixhostX -> aix-loghost1</div></blockquote><div>data center 2:</div><blockquote style="margin-right:0px" dir="ltr"><div>rhelhostX -> rhel-loghost2</div>
<div>aixhostX -> aix-loghost2</div></blockquote> </div><div>aix-loghost's are running syslog-ng 3.0.5, RHEL loghost's are running syslog-ng 3.1.4. Both are similarly configured (see below), and are working fine as advertised by themselves - e.g. each loghost gets $HOST_FROM and properly stores the logs for that host in our architecture (/logs/$YEAR/$MONTH/$DAY/$HOST_FROM/).</div>
<div> </div><div>However, given data center 1, if syslogs follow this path:</div><blockquote style="margin-right:0px" dir="ltr"><div>aixhostX -> aix-loghost1 -> sec-loghost</div></blockquote><blockquote style="margin-right:0px" dir="ltr">
<div>rhelhostX -> rhel-loghost1 -> sec-loghost</div><div>rhelhostX -> rhel-loghost1 -> rhel-loghost2</div></blockquote><div>sec-loghost sees syslogs from all aixhostXs (even though they passed through aix-loghost1) correctly. However, sec-loghost (and we also tested going to rhel-loghost2) sees ALL syslog entries as coming from rhel-loghost, even though it's simply aggregating from rhelhostX's. loghost1's all correctly get $HOST_FROM and see syslog record hosts correctly. This issue only occurs when forwarding again to another loghost.</div>
<div> </div><div>Our nutshell configuration on BOTH loghosts (related to this) is:</div><div> </div><div>options {<br> chain_hostnames(no);<br> keep_hostname(yes);<br>
use_fqdn(no);<br> use_dns(yes);<br>};<br></div><div>Any ideas on how to fix this? The only hint I've gotten is from our networks group, who uses kiwi syslog and had to make sure a checkbox for RFC 3164 headers compliance was turned on. I don't see an equivalent of that not already set with the above config.</div>
<div> </div><div>Thanks,</div><div>Ian</div><div> </div>