Hello;

I am running syslog-NG on a server inside of a DMZ, and on that server I'd like to just forward all messages into my internal syslog-NG server. I feel this is better than having to create a new firewall rule for each new DMZ node.

I have a simple syslog-NG config that looks like this:

---------START syslog-ng.conf-----------

@version:3.5

@include "scl.conf"

@include "/etc/syslog-ng/conf.d/*.conf"

 options {

    time-reap(30);

    mark-freq(10);

    keep-hostname(yes);

    chain_hostnames (off);

    flush_lines (0);

    time_reopen (10);

    log_fifo_size (1000);

    use_dns (yes);

    use_fqdn (no);

    create_dirs (no);

};

source s_relay {

         udp(ip(0.0.0.0) port(514) so_rcvbuf(425984));

         tcp(ip(0.0.0.0) port(514) max-connections(250) so_rcvbuf(425984) log_iw_size(25000) so_keepalive(yes) log_fetch_limit(100));

         syslog(ip(0.0.0.0) transport("tcp") port(1514) max-connections(500) log_iw_size(25000) flags("threaded") log_fetch_limit(100));

};

destination d_syslog_tcp { syslog("10.5.5.10" transport("tcp") port(514)); };

log { source(s_relay); destination(d_syslog_tcp); };

----------END syslog-NG.conf-------------

The problem that I am experiencing is that my messages, once received by my internal syslog-NG server, look like the following:

Apr 26 17:31:06 relay-sng-server 126 <30>1 2017-04-26T17:32:01-04:00 relay-client-host-X appserv - - - 606881792 140565409392384  INFO: @2 SessionExchange::ProcessTCPRead

Apr 26 17:31:06 relay-sng-server 124 <30>1 2017-04-26T17:32:01-04:00 relay-client-host-X appserv - - - 606881792 140565409392384 DEBUG: OpenSSLHandler::PerformHandshake