I've got the following situation: Host A can talk to Host B Host B can talk to Host C Host A can NOT talk to Host C directly Host C is the master logger So I'm trying to set up Host B to act as a forwarder. This "mostly" works: HOST A: destination mylogger { tcp(<HOST B> port(1999) localport(999)); }; filter all { level(info..err); }; log { source(src); filter(all); destination(console_all); destination(mylogger); }; HOST B: source s_tcp { tcp(localip(<HOST B>) port(1999) max-connections(50)); }; destination mylogger { tcp(<HOST C> port(1999) localport(999)); }; filter all { level(info..err); }; log { source(s_tcp); source(src); filter(all); destination(console_all); destination(mylogger); }; HOST C source s_tcp { tcp(localip(<HOST C>) port(1999) max-connections(50)); }; destination logtest { file("/var/log/logtest.log" owner("root") group("adm") perm(0640)); }; filter drop1 { not match ( " session opened|closed for user root|mail") and not match ("STATS: dropped 0"); }; log { source(s_tcp); source(src); filter(drop1); destination(logtest); }; The problem is, HOST B rewrites the message source to itself, so all messages from HOST A arriving at HOST C appear to have "occurred" on HOST B. Is there a way to do real forwarding rather than hacking it as I did above?
On Fri, Aug 02, 2002 at 11:16:01PM +0100, Dale Amon wrote:
I've got the following situation:
Host A can talk to Host B Host B can talk to Host C Host A can NOT talk to Host C directly Host C is the master logger
So I'm trying to set up Host B to act as a forwarder. This "mostly" works:
HOST A: destination mylogger { tcp(<HOST B> port(1999) localport(999)); }; filter all { level(info..err); }; log { source(src); filter(all); destination(console_all); destination(mylogger); };
HOST B: source s_tcp { tcp(localip(<HOST B>) port(1999) max-connections(50)); }; destination mylogger { tcp(<HOST C> port(1999) localport(999)); }; filter all { level(info..err); }; log { source(s_tcp); source(src); filter(all); destination(console_all); destination(mylogger); };
HOST C source s_tcp { tcp(localip(<HOST C>) port(1999) max-connections(50)); }; destination logtest { file("/var/log/logtest.log" owner("root") group("adm") perm(0640)); }; filter drop1 { not match ( " session opened|closed for user root|mail") and not match ("STATS: dropped 0"); }; log { source(s_tcp); source(src); filter(drop1); destination(logtest); };
The problem is, HOST B rewrites the message source to itself, so all messages from HOST A arriving at HOST C appear to have "occurred" on HOST B.
it's not exactly what happens. syslog-ng rewrites hostnames as it receives messages, so the message indicates where the message came from. this behaviour can be changed by the keep_hostname() option, or by using chained hostnames. I've summarized the use of these options several times, try to google the archives: google: +keep_hostname site:lists.balabit.hu -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Wed, Aug 07, 2002 at 05:26:45PM +0200, Balazs Scheidler wrote:
I've summarized the use of these options several times, try to google the archives:
google: +keep_hostname site:lists.balabit.hu
Plus there's always: http://www.campin.net/syslog-ng/faq.html#hostname -- "The existing phrasebooks are inadequate. They are well enough as far as they go, but when you fall down and skin your leg they don't tell you what to say." - Samuel Clemens
participants (3)
-
Balazs Scheidler
-
Dale Amon
-
Nate Campi