First off, thanks for the syslog-ng effort. :-) Setting up a "middle-man" syslog forwarder for multiple IDS devices. The issue I'm having is that I need to keep the originating device IP through this forwarder. The original message is old syslog to syslog-ng then off again to a correlation host with a syslogd listener. The correlation host needs those messages in their original form instead of with the middle mans IP attached. IDS1(syslog)----->Middle Host(syslog-ng)------>Correlation(syslogd -r) ^ | IDS2(syslog)--------- So the correlation host obviously is taking the UDP source from the middle man and appending it to the beginning of the message. Have tried using keep_hostname() with no avail. Current options are the following: options { sync(0); log_fifo_size(1000); use_dns(no); use_fqdn(no); create_dirs(no); keep_hostname(yes); chain_hostnames(no); }; Am I missing something here? Ideas? Thnx, T -- Neohapsis, Inc. Thomas Oele - Network Security Consultant 414.289.0966 Milwaukee 773.394.8310 Chicago www.Neohapsis.com