Thanks Laszlo, I will try that and get back. Raghu On Fri, Nov 29, 2019, 19:40 Pal, Laszlo <vlad@vlad.hu> wrote:
If 172.22.2.55 is your relay, use keep-hostname option
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edit...
On Fri, Nov 29, 2019 at 2:24 PM Raghunath Adhyapak <funduraghu@gmail.com> wrote:
Hi,
I'm observing that syslog-ng is modifying the SYSLOGHOST in the incoming log line and outputting an IP instead. I would like to retain the incoming hostname in incoming syslog and forward the same information.
Here is my incoming log line: <13>Nov 29 04:07:40 BVRM-DC04 AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=7.2.8.91\tSource=Microsoft-Windows-Security-Auditing\tComputer= BVRM-DC04.xxxxxxxx.com\tOriginatingComputer=172.26.1.60\tUser=\tDomain=\tEventID=4634\tEventIDCode=4634\tEventType=8\tEventCategory=12545\tRecordNumber=166757582\tTimeGenerated=1575029259\tTimeWritten=1575029259\tLevel=Log Always\tKeywords=Audit Success\tTask=SE_ADT_LOGON_LOGOFF\tOpcode=Info\tMessage=An account was logged off.
Outgoing log line: <13>Nov 29 04:07:40 172.22.2.55 AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=7.2.8.91\tSource=Microsoft-Windows-Security-Auditing\tComputer= BVRM-DC04.xxxxxxxx.com\tOriginatingComputer=172.26.1.60\tUser=\tDomain=\tEventID=4634\tEventIDCode=4634\tEventType=8\tEventCategory=12545\tRecordNumber=166757582\tTimeGenerated=1575029259\tTimeWritten=1575029259\tLevel=Log Always\tKeywords=Audit Success\tTask=SE_ADT_LOGON_LOGOFF\tOpcode=Info\tMessage=An account was logged off.
FYI, this is log from Windows, but same is happening for syslog from other firewalls as well.
My syslog-ng.conf:
@version: 3.24 @include "scl.conf" ######################## # Sources ######################## source s_test_net { syslog(transport(udp) port(2514) ); }; ######################## # Destinations ######################## destination d_test { file("/tmp/test.log"); }; ######################## # Log paths ######################## log { source(s_test_net); destination(d_test); };
Thanks Raghu
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq