Sent: Mon Aug 29 2011 19:36:28 GMT-0600 (MST)
From: Matt Zagrabelny <mzagrabe@d.umn.edu>
To: syslogng@feystorm.net "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] malformed syslog packets?


That would be the issue. You want $HOST_FROM

Super! I have tweaked the configs.

From the user guide:

HOST

Description: The name of the source host where the message originates from.
If the message traverses several hosts and the chain_hostnames() option is
on, the first host in the chain is used. To use this macro, make sure that
the keep_hostname() option is enabled.

Okay. However there is only one host in the chain:

APC UPS (udp 514)-> syslog_server

doesn't syslog-ng do (reverse) name lookups when using the HOST macro?

It uses the host name as provided by the remote server. So the APC is using its IP as the hostname, while all your other hosts were using an actual hostname as the hostname.