Hi, I just experienced some weird behaviour regarding the resolution of the ${HOST} variable/macro. There seems to be a difference whether the remote log client runs sysklogd or syslog-ng. Basic setup =========== syslog-ng 2.0 log server ------------------------ /etc/hosts: host1.syslog-ng.local 192.168.10.1 host1.sysklogd.local 192.168.20.1 /etc/syslog-ng/syslog-ng.conf: normalize_hostnames(yes); keep_hostname(no); use_dns(yes); use_fqdn(yes); No address or hostname/fqdn is served by a real DNS server, everything is contained in /etc/hosts. Case #1 ======= syslog-ng 2.0 log server ------------------------ /etc/syslog-ng/syslog-ng.conf: chain_hostnames(yes); messages received from sysklogd log clients ------------------------------------------- ${HOST} resolves to host1.sysklogd.local ${FULLHOST} resolves to host1.sysklogd.local/host1.sysklogd.local messages received from syslog-ng 1.6 log clients ------------------------------------------------ ${HOST} resolves to host1 ${FULLHOST} resolves to host1/host1.syslog-ng.local Case #2 ======= syslog-ng 2.0 log server ------------------------ /etc/syslog-ng/syslog-ng.conf: chain_hostnames(no); messages received from sysklogd log clients ------------------------------------------- ${HOST} resolves to host1.sysklogd.local messages received from syslog-ng 1.6 log clients ------------------------------------------------ ${HOST} resolves to host1.syslog-ng.local Where does that difference come from?! Shouldn't syslog-ng on the log server just not care about whatever hostname the log client sent due to keep_hostname(no) and use the data from /etc/hosts? How come that messages directly being sent to the syslog-ng log server are affected by chain_hostnames() *at all*?! Puzzled, Wolfram :)