We have a bunch of servers whose applications write error/debug messages to 127.0.0.1 port 514. We want syslog-ng on each of the servers to forward the messages to a central logging server which also forwards the messages to zenoss running on the central logger server. The problem with our configuration (which I have copied here) is that no matter which server originates the message, they show up on the central server as originating from localhost – in both zenoss and in the /var/log files We want them to be shown as originating from the server that produced the messages. We can add a template on the central logger to log the messages as coming form $FROM_HOST, but while that solves the problem for the /var/log messages, zenoss still shows the messages as coming from  localhost. Please help, we are new to using syslog-ng. We are using syslog-ng version 2.0.8 on Red Hat Linux.

 

-----------------server syslog-ng.conf (slightly abbreviated)

options {

use_dns(yes);

use_fqdn(no);

chain_hostnames(no);

keep_hostnames(yes);

:::

};

 

source java {

udp(ip(127.0.0.1) port(514));

};

destination remote {

udp(“192.168.99.105” port(514));

}

log { source(java); destination(remote); };

 

------------------central logger config file

options {

        use_time_recvd( no );

        time_reopen(1);

        long_hostnames(off);

        sync(0);

        use_dns(yes);

        use_fqdn(no);

        chain_hostnames(no);

        keep_hostname(yes);

        create_dirs(yes);

        stats(3600);

};

source src {

        unix-stream("/dev/log");

        pipe("/proc/kmsg");

        internal();

        udp(ip(0.0.0.0) port(514));

         };

destination everything {

        file("/var/log/$HOST_FROM.$MONTH$DAY$YEAR" template("$HOST_FROM $HOUR:$MIN:$SEC $MSG\n"));

};

destination zenoss {

        udp( "localhost" port(5514) );

        #udp( "localhost" port(5514) template("<$PRI>$DATE $HOST_FROM $MSG\n") );

};

log { source(src); destination(everything); };

log { source(src); destination(zenoss); };

 

 


PLEASE READ: This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please delete it and all copies from your system, destroy any hard copies and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Nomura Holding America Inc., Nomura Securities International, Inc, and their respective subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state the views of such entity. Unless otherwise stated, any pricing information in this message is indicative only, is subject to change and does not constitute an offer to deal at any price quoted. Any reference to the terms of executed transactions should be treated as preliminary only and subject to our formal written confirmation.