Hi,
I'm observing that syslog-ng is modifying the SYSLOGHOST in the incoming log line and outputting an IP instead.
I would like to retain the incoming hostname in incoming syslog and forward the same information.
Here is my incoming log line:
<13>Nov 29 04:07:40 BVRM-DC04 AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=7.2.8.91\tSource=Microsoft-Windows-Security-Auditing\tComputer=
BVRM-DC04.xxxxxxxx.com\tOriginatingComputer=172.26.1.60\tUser=\tDomain=\tEventID=4634\tEventIDCode=4634\tEventType=8\tEventCategory=12545\tRecordNumber=166757582\tTimeGenerated=1575029259\tTimeWritten=1575029259\tLevel=Log Always\tKeywords=Audit Success\tTask=SE_ADT_LOGON_LOGOFF\tOpcode=Info\tMessage=An account was logged off.
Outgoing log line:
<13>Nov 29 04:07:40
172.22.2.55 AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=7.2.8.91\tSource=Microsoft-Windows-Security-Auditing\tComputer=
BVRM-DC04.xxxxxxxx.com\tOriginatingComputer=172.26.1.60\tUser=\tDomain=\tEventID=4634\tEventIDCode=4634\tEventType=8\tEventCategory=12545\tRecordNumber=166757582\tTimeGenerated=1575029259\tTimeWritten=1575029259\tLevel=Log Always\tKeywords=Audit Success\tTask=SE_ADT_LOGON_LOGOFF\tOpcode=Info\tMessage=An account was logged off.
FYI, this is log from Windows, but same is happening for syslog from other firewalls as well.
My syslog-ng.conf:
@version: 3.24
@include "scl.conf"
########################
# Sources
########################
source s_test_net { syslog(transport(udp) port(2514) ); };
########################
# Destinations
########################
destination d_test { file("/tmp/test.log"); };
########################
# Log paths
########################
log {
source(s_test_net);
destination(d_test);
};
Thanks
Raghu