On Thu, Sep 28, 2006 at 01:05:39PM -0400, Tom Valdes wrote:
I have some machines behind a firewall VLAN of 10.0.240.0 sending logs to a Linux Syslog server on the 10.0.230.0 network. The 2 machines are 10.0.240.71 and 10.0.240.72 and the Syslog server is 10.0.230.222. They are Windows and I am using the Eventlog to Syslog utility from Purdue University ( https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys) to convert the Windows event logs to Syslog.
Syslog is getting the information, however, any information from the 2 machines are coming in as 10.0.230.1. ------- Sep 28 11:37:54 10.0.230.1 Service Control ....... <---- This machine is actually 10.0.240.71 ------- Is there a way to get Syslog to read the correct IP information? or does Syslog simply not pass correct host information through a router?
This evtsys might leave out the hostname information, like Linux sysklogd or Solaris syslogd. This behavior is documented here: http://www.campin.net/syslog-ng/syslog.html If evtsys is in fact sending the hostname, use options { keep_hostname(yes); }; ...as described for a similar problem here where the source IP for the UDP/TCP packets are different from the original syslog client source: http://www.campin.net/syslog-ng/faq.html#stunnel -- Nate "We are discreet sheep; we wait to see how the drove is going, and then go with the drove." - Samuel Clemens