<div dir="auto"><div>Thanks Laszlo, I will try that and get back.</div><div dir="auto"><br></div><div dir="auto">Raghu<br><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Fri, Nov 29, 2019, 19:40 Pal, Laszlo <<a href="mailto:vlad@vlad.hu">vlad@vlad.hu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr">If <span style="color:rgb(255,0,0)">172.22.2.55 is your relay, use keep-hostname option </span></div><div dir="ltr"><span style="color:rgb(255,0,0)"><br></span></div><div dir="ltr"><a href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/keep-hostname" target="_blank" rel="noreferrer">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/keep-hostname</a><span style="color:rgb(255,0,0)"><br></span></div><div dir="ltr"><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Nov 29, 2019 at 2:24 PM Raghunath Adhyapak <<a href="mailto:funduraghu@gmail.com" target="_blank" rel="noreferrer">funduraghu@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi,<div><br></div><div>I'm observing that syslog-ng is modifying the SYSLOGHOST in the incoming log line and outputting an IP instead.</div><div>I would like to retain the incoming hostname in incoming syslog and forward the same information.</div><div><br></div><div>Here is my incoming log line:</div><div><13>Nov 29 04:07:40 BVRM-DC04 AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=7.2.8.91\tSource=Microsoft-Windows-Security-Auditing\tComputer=<a href="http://BVRM-DC04.xxxxxxxx.com" target="_blank" rel="noreferrer">BVRM-DC04.xxxxxxxx.com</a>\tOriginatingComputer=172.26.1.60\tUser=\tDomain=\tEventID=4634\tEventIDCode=4634\tEventType=8\tEventCategory=12545\tRecordNumber=166757582\tTimeGenerated=1575029259\tTimeWritten=1575029259\tLevel=Log Always\tKeywords=Audit Success\tTask=SE_ADT_LOGON_LOGOFF\tOpcode=Info\tMessage=An account was logged off.<br></div><div><br></div><div>Outgoing log line:</div><div><13>Nov 29 04:07:40 <font color="#ff0000">172.22.2.55</font> AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=7.2.8.91\tSource=Microsoft-Windows-Security-Auditing\tComputer=<a href="http://BVRM-DC04.xxxxxxxx.com" target="_blank" rel="noreferrer">BVRM-DC04.xxxxxxxx.com</a>\tOriginatingComputer=172.26.1.60\tUser=\tDomain=\tEventID=4634\tEventIDCode=4634\tEventType=8\tEventCategory=12545\tRecordNumber=166757582\tTimeGenerated=1575029259\tTimeWritten=1575029259\tLevel=Log Always\tKeywords=Audit Success\tTask=SE_ADT_LOGON_LOGOFF\tOpcode=Info\tMessage=An account was logged off.<br></div><div><br></div><div>FYI, this is log from Windows, but same is happening for syslog from other firewalls as well.</div><div><br></div><div>My syslog-ng.conf:</div><div><br></div><div><div>@version: 3.24</div><div>@include "scl.conf"</div><div>########################</div><div># Sources</div><div>########################</div><div>source s_test_net { syslog(transport(udp) port(2514) ); };</div><div>########################</div><div># Destinations</div><div>########################</div></div><div><div>destination d_test { file("/tmp/test.log"); };</div><div>########################</div><div># Log paths</div><div>########################</div><div>log {</div><div> source(s_test_net);</div><div> destination(d_test);</div><div>};</div><div><br></div></div><div>Thanks</div><div>Raghu</div></div></div></div></div></div></div></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div></div></div>