On Wed, Mar 21, 2018 at 9:58 AM, Fabien Wernli <wernli@in2p3.fr> wrote:On Wed, Mar 21, 2018 at 09:46:32AM -0400, Asif Iqbal wrote:
> My client hostname is svl-search-01 and its IP resolves to svl-remote-01.
> Its syslogs do not have any PRI or hostname in HOST field.
>
> I like to have svl-search-01 in the HOST field.
In that case the only sensible options are:
* upgrade & use add-contextual-dat
or
* use /etc/hosts and keep-hostname(no)
I noticed if I have mutiple source files I only get logs from the last source only. Does that make sense?source s_sys {file ("/proc/kmsg" program_override("kernel: "));system();internal();udp(ip(0.0.0.0) port(514));};source s_udp { udp(ip(0.0.0.0) port(514)); };source s_alarm { udp( ip(0.0.0.0) port(514) use_dns(persist_only) ); };log { source(s_sys); filter(f_ciena); destination(d_ciena); };log { source(s_alarm); filter(f_alarm); destination(d_alarm); };As soon as I commented all the other sources and only kept the s_sys, I started getting logs again fromthose routers.
____________________________________________________________ __________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
--Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?