Baszi, I've noticed that chain_hostname and chain_hostnames have been used interchangeably in some of our communications. (Singular in your last note, plural in the manual.) Without a reference to keep_hostname in the manual, I somehow made the option plural in the syslog-ng.conf file. When I changed it to singular the parse error went away and the logs started looking like you've described below. Thanks for the extra detail. However, I guess I'm still not sure how "server" becomes "src@", "Message", or "last" on my server? Messages like "Sep 18 10:38:04 Message forwarded from hostname:" where the hostname is the system short name and the field typically populated by a FQDN now have Message. Have I something configured incorrectly?
So if you have a message which has hostname "server", and which resolves to "server2", the following happens:
keep_hostname(yes) keep_hostname(no) chain_hostname(yes) server server/server2 chain_hostname(no) server server2
--- John A. Parker Senior Programmer/Analyst - AIX Cornell University jap54@cornell.edu 607-255-9356 607-255-8521 (Fax)