Greetings,
The problem is quite simple: you have set the option "keep_hostname(no)" on both
servers, which implies that syslog-ng will not trust the hostname in the packet
payload, that is, the hostname by which the original server refers to itself, and
will use reverse IP resolution to set it.
In this scenario, this means that central server will see packets coming from
POP-A and will not use the hostname in the packet but the reverse IP resolution
of the packet source IP (or the IP by itself if it can not resolve it).
You should remove the option from the central server configuration.
Regards,
Raśl Pedroche
COLT Telecom
Email: raul.pedroche@colt-telecom.es
www.colt.net
-----Original Message-----
From: Bill [mailto:syslog-ng@gardrail.com]
Sent: Wednesday, March 24, 2004 9:28 PM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]relay host address changes source hosts ip in message
Greetings,
I've been tasked to setup a syslog relay network from various pops to a
centralized syslog server for insert into a database.
The problem I'm running into is at the various pops, for example, lets call
the first one POP-A. At POP-A, I have syslog-ng version 1.6.0rc4 setup to
receive both udp and tcp syslog connections. It in turn, relays the syslog
messages to the central server. When I look at the incoming data on the
centralized server, the incoming data shows that the source host information
is being re-written with the relay hosts ip.
System stats are:
Solaris 8 intel
Syslog-ng 1.6.0rc4
POP-A configuration file follows:
options {
long_hostnames(off);
use_dns(no);
use_fqdn(no);
dns_cache(no);
check_hostname(yes);
keep_hostname(no);
chain_hostnames(no);
# On Solaris, log(3) truncates at 1024 chars
log_msg_size(8192);
# buffer just a little for performance
sync(0);
# memory is cheap, buffer messages unable to write (like to loghost)
log_fifo_size(10240);
# The time to wait before a dead connection is reestablished (seconds)
time_reopen(10);
create_dirs(yes);
owner("root");
group("other");
perm(0600);
use_time_recvd(yes);
};
source src {
# This is the source of syslog.
# The default protocal port is 512
udp();
tcp(max-connections(1024));
};
source l_src {
# This is the source of syslog.
# This is internal messages on the local server
internal();
sun-streams("/dev/log");
# This is internal messages on the local server
};
destination syslogfile {
file(
"/var/log/syslogng/$HOST.log"
);
udp("1.1.1.1");
};
filter priorityfilter {
priority(debug,info,notice,warning,err,crit,alert,emerg);
};
###############################################################
log {
source(src);
source(l_src);
filter(priorityfilter);
destination(syslogfile);
};
------------------------------------------------------
------------------------------------------------------
------------------------------------------------------
Server syslog-ng configuration follows:
------------------------------------------------------
------------------------------------------------------
------------------------------------------------------
options {
long_hostnames(yes);
use_dns(no);
use_fqdn(no);
dns_cache(no);
# dns_cache_size(500);
# dns_cache_expire(3600);
# dns_cache_expire_failed(3600);
# check_hostname(yes);
keep_hostname(no);
chain_hostnames(no);
# On Solaris, log(3) truncates at 1024 chars
log_msg_size(8192);
# buffer just a little for performance
sync(0);
# memory is cheap, buffer messages unable to write (like to loghost)
log_fifo_size(10240);
# The time to wait before a dead connection is reestablished (seconds)
time_reopen(10);
create_dirs(yes);
owner("root");
group("other");
perm(0640);
use_time_recvd(yes);
};
###############################################################
source src {
# This is the source of syslog.
# The default protocal port is 512
udp();
# This is internal messages on the local server
internal();
};
source l_src {
sun-stream("/dev/log" door("/etc/.syslog_door"));
internal();
};
destination syslogfile {
file(
"/var/log/syslogng/$YEAR_$MONTH_$DAY_$HOST.log"
);
};
destination program1 {
program(
/path/to/uber/syslog/program.pl
template
("”$HOST”$FACILITY”$PRIORITY”$LEVEL”$TAG”$FULLDATE”$PROGRAM”$MSG\n")
template-escape(yes)
);
};
filter priorityfilter {
priority(debug,info,notice,warning,err,crit,alert,emerg);
};
filter dropsyslog {
not match("syslog-ng*");
};
###############################################################
log {
source(src);
filter(dropsyslog);
filter(priorityfilter);
destination(program1);
destination(syslogfile);
};
###############################################################
log {
source(l_src);
destination(program1);
destination(syslogfile);
};
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html