Hi, Hoping someone has seen an easy fix for this. Sorry is it's specifically referenced somewhere I'm not seeing. Dealing with a vendor who is not able to leverage the RFC headers or TCP input. We have rsyslog relays in remote sites sending TCP/514 to syslog-ng and others locally sending directly to syslog-ng TCP/UDP 514. The devices sending directly to syslog-ng are reporting to the IDS correctly. Hosts relaying through rsyslog are showing a source address of the relay. */etc/rsyslog.d/forward.conf* *$ActionQueueFileName fwdRule1 # unique name prefix for spool files* *$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)* *$ActionQueueSaveOnShutdown on # save messages to disk on shutdown* *$ActionQueueType LinkedList # run asynchronously* *$ActionResumeRetryCount -1 # infinite retries if host is down* *# remote host is: name/ip:port, e.g. 192.168.0.1:514 <http://192.168.0.1:514>, port optional* **.* @@syslog-ngIP:514* */etc/syslog-ng/conf.d* *source s_net_tcp {tcp(ip(0.0.0.0) port(514) max-connections(300) keep_hostname(yes) so_rcvbuf(262142) log_iw_size(25000)); };* *source s_net_udp {syslog(ip(0.0.0.0) keep_hostname(yes) port(514) transport("udp") flags(no-hostname) so_rcvbuf(262142));};* *destination d_ids {network("IDSHOSTNAME" spoof_source(yes) transport(udp) port(514) flags(syslog-protocol)); };* *log { source(s_net_udp);* * channel {filter(f_ids); destination (d_ids);};* * channel {parser(pattern_db); destination (d_es);};* *};* *log { source(s_net_tcp);* * channel {filter(f_ids); destination (d_ids);};* * channel {parser(pattern_db); destination (d_es);};* *};*