On Fri, Aug 02, 2002 at 11:16:01PM +0100, Dale Amon wrote:
I've got the following situation:
Host A can talk to Host B Host B can talk to Host C Host A can NOT talk to Host C directly Host C is the master logger
So I'm trying to set up Host B to act as a forwarder. This "mostly" works:
HOST A: destination mylogger { tcp(<HOST B> port(1999) localport(999)); }; filter all { level(info..err); }; log { source(src); filter(all); destination(console_all); destination(mylogger); };
HOST B: source s_tcp { tcp(localip(<HOST B>) port(1999) max-connections(50)); }; destination mylogger { tcp(<HOST C> port(1999) localport(999)); }; filter all { level(info..err); }; log { source(s_tcp); source(src); filter(all); destination(console_all); destination(mylogger); };
HOST C source s_tcp { tcp(localip(<HOST C>) port(1999) max-connections(50)); }; destination logtest { file("/var/log/logtest.log" owner("root") group("adm") perm(0640)); }; filter drop1 { not match ( " session opened|closed for user root|mail") and not match ("STATS: dropped 0"); }; log { source(s_tcp); source(src); filter(drop1); destination(logtest); };
The problem is, HOST B rewrites the message source to itself, so all messages from HOST A arriving at HOST C appear to have "occurred" on HOST B.
it's not exactly what happens. syslog-ng rewrites hostnames as it receives messages, so the message indicates where the message came from. this behaviour can be changed by the keep_hostname() option, or by using chained hostnames. I've summarized the use of these options several times, try to google the archives: google: +keep_hostname site:lists.balabit.hu -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1