I guess I asked the wrong question. We're not supplying data for the the rhost field so there wouldn't be any present in my previous example. Thank you for pointing that out. But, my question would be more correctly stated as how do I distinguish the log data, from multiple hosts, feeding into a central syslog-ng server? I'm missing something obvious, since there is not an IP address to identify the traffic. I am logging everything based on source udp514 into a seperate file. options { keep_hostname(no); use_dns(no); sync(0); };\ source rmt_udp { udp(ip("0.0.0.0") port(514)); }; destination d_all { file("/var/log/all.log"); }; log { source(rmt_udp); destination(d_all); }; On Wed, 2005-12-28 at 10:28 -0500, ken.schweiker@faa.gov wrote:
I hope someone can answer a few basic questions to help with my
previously
described problem. Since I have not used syslog before....
Is the rhost field where I should see some value? specifically the originating ip address of the msg.? my field is blank. Does anyone else use the version 1.6.2. and not have this problem?
Uh huh, you mean the rhost field _inside_ the message part? Dec 23 17:50:12 suselog/suselog su(pam_unix)[13205]: authentication failure; logname=syss555 uid=500 euid=0 tty=pts/4 ruser=syss555 rhost= user=root In this case this has nothing to do with syslog-ng as it never touches the message itself (e.g. anything after the hostname in the header suselog/suselog in the case above) -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html