I am using syslog-ng 1.4.0rc3 at this time (I do have 1.4.0 but haven't implemented it yet), on Solaris 7 from a Sun SPARC machine. I am trying to forward my logs from one machine through another and log them on a third machine. There is a reason I do this and it is necessary that I do it this way. However, my question is this:

I assume your logs are transferred to a loghost behind a chain of firewalls.

How do I keep it from putting the middle machine's hostname on it?

I assumed that chain_hostnames(no) option would do it but it doesn't work the way I would have expected. When I used chain_hostnames(no) I got something like:

"Mar 8 08:35:41 mhost host hamilton: Testing..."

Why is there 3 names? there should be only "mhost hamilton: testing..."

When I used chain_hostnames(yes) I got something like:

"Mar 8 08:38:17 mhost host/host hamilton: Testing..."

Any ideas? Or is this just not possible?

Are all your hosts using syslog-ng, or some of them use the native syslogd? The proper behaviour is: 1) chain_hostnames(off) the hostname the message was received from is put in the hostname part of the message (if it contained one it is replaced) so on your inner loghost you'll find the name of your last hop. 2) chain_hostnames(on) hostnames are chained, which means that on each hop the hostname the message was received from is appended to the chain. The first hostname is the originator. So a hostname like this: bzorp/bzorp/balabit means, that the message was generated on bzorp, was received from bzorp to balabit, and it was received from balabit at its final destination. A keep_hostname() option would be a useful addition, but it's not implemented yet. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt