Greetings, I've been tasked to setup a syslog relay network from various pops to a centralized syslog server for insert into a database. The problem I'm running into is at the various pops, for example, lets call the first one POP-A. At POP-A, I have syslog-ng version 1.6.0rc4 setup to receive both udp and tcp syslog connections. It in turn, relays the syslog messages to the central server. When I look at the incoming data on the centralized server, the incoming data shows that the source host information is being re-written with the relay hosts ip. System stats are: Solaris 8 intel Syslog-ng 1.6.0rc4 POP-A configuration file follows: options { long_hostnames(off); use_dns(no); use_fqdn(no); dns_cache(no); check_hostname(yes); keep_hostname(no); chain_hostnames(no); # On Solaris, log(3) truncates at 1024 chars log_msg_size(8192); # buffer just a little for performance sync(0); # memory is cheap, buffer messages unable to write (like to loghost) log_fifo_size(10240); # The time to wait before a dead connection is reestablished (seconds) time_reopen(10); create_dirs(yes); owner("root"); group("other"); perm(0600); use_time_recvd(yes); }; source src { # This is the source of syslog. # The default protocal port is 512 udp(); tcp(max-connections(1024)); }; source l_src { # This is the source of syslog. # This is internal messages on the local server internal(); sun-streams("/dev/log"); # This is internal messages on the local server }; destination syslogfile { file( "/var/log/syslogng/$HOST.log" ); udp("1.1.1.1"); }; filter priorityfilter { priority(debug,info,notice,warning,err,crit,alert,emerg); }; ############################################################### log { source(src); source(l_src); filter(priorityfilter); destination(syslogfile); }; ------------------------------------------------------ ------------------------------------------------------ ------------------------------------------------------ Server syslog-ng configuration follows: ------------------------------------------------------ ------------------------------------------------------ ------------------------------------------------------ options { long_hostnames(yes); use_dns(no); use_fqdn(no); dns_cache(no); # dns_cache_size(500); # dns_cache_expire(3600); # dns_cache_expire_failed(3600); # check_hostname(yes); keep_hostname(no); chain_hostnames(no); # On Solaris, log(3) truncates at 1024 chars log_msg_size(8192); # buffer just a little for performance sync(0); # memory is cheap, buffer messages unable to write (like to loghost) log_fifo_size(10240); # The time to wait before a dead connection is reestablished (seconds) time_reopen(10); create_dirs(yes); owner("root"); group("other"); perm(0640); use_time_recvd(yes); }; ############################################################### source src { # This is the source of syslog. # The default protocal port is 512 udp(); # This is internal messages on the local server internal(); }; source l_src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); }; destination syslogfile { file( "/var/log/syslogng/$YEAR_$MONTH_$DAY_$HOST.log" ); }; destination program1 { program( /path/to/uber/syslog/program.pl template ("¡$HOST¡$FACILITY¡$PRIORITY¡$LEVEL¡$TAG¡$FULLDATE¡$PROGRAM¡$MSG\n") template-escape(yes) ); }; filter priorityfilter { priority(debug,info,notice,warning,err,crit,alert,emerg); }; filter dropsyslog { not match("syslog-ng*"); }; ############################################################### log { source(src); filter(dropsyslog); filter(priorityfilter); destination(program1); destination(syslogfile); }; ############################################################### log { source(l_src); destination(program1); destination(syslogfile); };