* Gergely Nagy <algernon@balabit.hu> [09-16-2011 06:36]:
The best course of action I can think of, is using a filter + rewrite combination, something like the following:
filter f_tabhost { host("\t*" type(glob)); };
rewrite r_rewrite_taberror { set("$HOST $PROGRAM $MSG", value("MSG")); set("$HOST_FROM", value("HOST")); set("-", value("PROGRAM")); };
log { source(...); filter(f_tabhost); rewrite(r_rewrite_taberror); destination(d_syslog); flags(final); };
log { source(...); destination(d_syslog); };
This will set the message part appropriately, and set $HOST to $HOST_FROM (which is the originating host's name, as looked up via DNS), and $PROGRAM to a default value of "-".
Provided that the sending hosts' reverse dns is the same as the host it sends in syslog messages, the above blocks should do the right thing.
(I'm not sure whether all of this is supported in 3.1, I suppose it is. I only tried with 3.3, as that's what I have at hand, but according to the documentation, this should work with 3.2 aswell)
-- |8]
Thank you Gergely, this does exactly what we want. -Jon