All hops along the way need to be syslog-ng. Don't mix syslog and syslog-ng if you want the original sender. On Tuesday, July 22, 2003, at 05:25 PM, Tom Oele wrote:
First off, thanks for the syslog-ng effort. :-)
Setting up a "middle-man" syslog forwarder for multiple IDS devices. The issue I'm having is that I need to keep the originating device IP through this forwarder. The original message is old syslog to syslog-ng then off again to a correlation host with a syslogd listener.
The correlation host needs those messages in their original form instead of with the middle mans IP attached.
IDS1(syslog)----->Middle Host(syslog-ng)------>Correlation(syslogd -r) ^ | IDS2(syslog)---------
So the correlation host obviously is taking the UDP source from the middle man and appending it to the beginning of the message. Have tried using keep_hostname() with no avail.
Current options are the following:
options { sync(0); log_fifo_size(1000); use_dns(no); use_fqdn(no); create_dirs(no); keep_hostname(yes); chain_hostnames(no); };
Am I missing something here? Ideas?
Thnx, T
-- Neohapsis, Inc. Thomas Oele - Network Security Consultant 414.289.0966 Milwaukee 773.394.8310 Chicago www.Neohapsis.com _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html