On Wed, Mar 21, 2018 at 9:58 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
On Wed, Mar 21, 2018 at 09:46:32AM -0400, Asif Iqbal wrote:
My client hostname is svl-search-01 and its IP resolves to svl-remote-01. Its syslogs do not have any PRI or hostname in HOST field.
I like to have svl-search-01 in the HOST field.
In that case the only sensible options are:
* upgrade & use add-contextual-dat
or
* use /etc/hosts and keep-hostname(no)
I noticed if I have mutiple source files I only get logs from the last source only. Does that make sense? source s_sys { file ("/proc/kmsg" program_override("kernel: ")); system(); internal(); udp(ip(0.0.0.0) port(514)); }; source s_udp { udp(ip(0.0.0.0) port(514)); }; source s_alarm { udp( ip(0.0.0.0) port(514) use_dns(persist_only) ); }; log { source(s_sys); filter(f_ciena); destination(d_ciena); }; log { source(s_alarm); filter(f_alarm); destination(d_alarm); }; As soon as I commented all the other sources and only kept the s_sys, I started getting logs again from those routers.
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?