Greetings, The problem is quite simple: you have set the option "keep_hostname(no)" on both servers, which implies that syslog-ng will not trust the hostname in the packet payload, that is, the hostname by which the original server refers to itself, and will use reverse IP resolution to set it. In this scenario, this means that central server will see packets coming from POP-A and will not use the hostname in the packet but the reverse IP resolution of the packet source IP (or the IP by itself if it can not resolve it). You should remove the option from the central server configuration. Regards, Raúl Pedroche COLT Telecom Email: raul.pedroche@colt-telecom.es www.colt.net -----Original Message----- From: Bill [mailto:syslog-ng@gardrail.com] Sent: Wednesday, March 24, 2004 9:28 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]relay host address changes source hosts ip in message Greetings, I've been tasked to setup a syslog relay network from various pops to a centralized syslog server for insert into a database. The problem I'm running into is at the various pops, for example, lets call the first one POP-A. At POP-A, I have syslog-ng version 1.6.0rc4 setup to receive both udp and tcp syslog connections. It in turn, relays the syslog messages to the central server. When I look at the incoming data on the centralized server, the incoming data shows that the source host information is being re-written with the relay hosts ip. System stats are: Solaris 8 intel Syslog-ng 1.6.0rc4 POP-A configuration file follows: options { long_hostnames(off); use_dns(no); use_fqdn(no); dns_cache(no); check_hostname(yes); keep_hostname(no); chain_hostnames(no); # On Solaris, log(3) truncates at 1024 chars log_msg_size(8192); # buffer just a little for performance sync(0); # memory is cheap, buffer messages unable to write (like to loghost) log_fifo_size(10240); # The time to wait before a dead connection is reestablished (seconds) time_reopen(10); create_dirs(yes); owner("root"); group("other"); perm(0600); use_time_recvd(yes); }; source src { # This is the source of syslog. # The default protocal port is 512 udp(); tcp(max-connections(1024)); }; source l_src { # This is the source of syslog. # This is internal messages on the local server internal(); sun-streams("/dev/log"); # This is internal messages on the local server }; destination syslogfile { file( "/var/log/syslogng/$HOST.log" ); udp("1.1.1.1"); }; filter priorityfilter { priority(debug,info,notice,warning,err,crit,alert,emerg); }; ############################################################### log { source(src); source(l_src); filter(priorityfilter); destination(syslogfile); }; ------------------------------------------------------ ------------------------------------------------------ ------------------------------------------------------ Server syslog-ng configuration follows: ------------------------------------------------------ ------------------------------------------------------ ------------------------------------------------------ options { long_hostnames(yes); use_dns(no); use_fqdn(no); dns_cache(no); # dns_cache_size(500); # dns_cache_expire(3600); # dns_cache_expire_failed(3600); # check_hostname(yes); keep_hostname(no); chain_hostnames(no); # On Solaris, log(3) truncates at 1024 chars log_msg_size(8192); # buffer just a little for performance sync(0); # memory is cheap, buffer messages unable to write (like to loghost) log_fifo_size(10240); # The time to wait before a dead connection is reestablished (seconds) time_reopen(10); create_dirs(yes); owner("root"); group("other"); perm(0640); use_time_recvd(yes); }; ############################################################### source src { # This is the source of syslog. # The default protocal port is 512 udp(); # This is internal messages on the local server internal(); }; source l_src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); }; destination syslogfile { file( "/var/log/syslogng/$YEAR_$MONTH_$DAY_$HOST.log" ); }; destination program1 { program( /path/to/uber/syslog/program.pl template ("¡$HOST¡$FACILITY¡$PRIORITY¡$LEVEL¡$TAG¡$FULLDATE¡$PROGRAM¡$MSG\n") template-escape(yes) ); }; filter priorityfilter { priority(debug,info,notice,warning,err,crit,alert,emerg); }; filter dropsyslog { not match("syslog-ng*"); }; ############################################################### log { source(src); filter(dropsyslog); filter(priorityfilter); destination(program1); destination(syslogfile); }; ############################################################### log { source(l_src); destination(program1); destination(syslogfile); }; _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html