Hi,

the syslog messages contain a $HOST field, which relates to the hostname they are posted by. Not all OSes fill this field, in that case syslog-ng attempts to do a reverse-DNS lookup.

In cases where a log message travels multiple hops (e.g. multiple relays) and where the $HOST field is not kept in-tact, this information can be lost.

also, syslog-ng (at least recent releases) can optionally keep an internal table of counters, which contain host specific counters at stats-level(2) or stats-level(3), I can't remember which.

Bazsi

On Tue, Jul 3, 2018 at 2:38 PM, Amin, Jitesh CTR DISA JSP (US) <jitesh.amin.ctr@mail.mil> wrote:

CLASSIFICATION: UNCLASSIFIED
Hello,
We have multiple servers running syslog. By looking at the syslong.conf file we can identify where the syslog servers are forwarding the data to.

But what we really want to know is what all sources are writing their logs to our syslog servers. Is there a way for us to look somewhere within syslog configuration and find out which all systems are forwarding/writing logs to a specific syslog server?

Thanks
Jitesh AminCLASSIFICATION: UNCLASSIFIED

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq