Probably the closest thing to that right now is chain_hostnames(on) as a global option. You don't get what you really want but you get something like: 20 June 2003 12:00:00 relay/host program:..... as a hostname you get both the host it came through and the host it originated from. There isn't a macro defined for relay but you could probably hack the code for chain_hostnames to give you a relay. The only trouble would be figuring it out if you have more than one relay. -----Original Message----- From: Michael Boman [mailto:michael.boman@securecirt.com] Sent: Friday, June 20, 2003 6:58 AM To: Syslog-NG ML Subject: [syslog-ng]Recording relay instance Hi, I have some "problems" with syslog-ng. I have it deployed in several networks, and some of these networks are sharing the same IP address range and sometimes even the same IP address for certain hosts. This means that I can't truly say that 192.168.51.4 is either the db server in network A or the web server in network B. I'd like to have a $RELAY macro so I can save the logs as /LOGS/$RELAY/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$YEAR_$MONTH_$DAY Where $RELAY is where the message came from (so with direct connections it would be the same as $HOST, but with a syslog-ng in relay mode you get the address/name of the relay host). Basically a "received from" field. Is this functionality planned, or does it already exist (checked out the documentation but didn't see anything there). Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
On Fri, 2003-06-20 at 20:51, Hamilton, Andrew wrote:
Probably the closest thing to that right now is chain_hostnames(on) as a global option. You don't get what you really want but you get something like:
20 June 2003 12:00:00 relay/host program:.....
as a hostname you get both the host it came through and the host it originated from. There isn't a macro defined for relay but you could probably hack the code for chain_hostnames to give you a relay. The only trouble would be figuring it out if you have more than one relay.
First off, having it in the message itself really screws up the log analysis software (it's doing a gethostbyname() on the hostname). I have tried it before, but it didn't work. I got hostA/hostA in the hostname field, not hostA/relayA. That's basicly why I am asking this. I was asking earlier (a few weeks now) where I can stick in some code that strips out non-printable ascii characters as there is a particular firewall brand that likes to break the RFC by sending out messages with tab characters in it. I have the code already, but don't know where to stick it.
-----Original Message----- From: Michael Boman [mailto:michael.boman@securecirt.com] Sent: Friday, June 20, 2003 6:58 AM To: Syslog-NG ML Subject: [syslog-ng]Recording relay instance
Hi,
I have some "problems" with syslog-ng. I have it deployed in several networks, and some of these networks are sharing the same IP address range and sometimes even the same IP address for certain hosts. This means that I can't truly say that 192.168.51.4 is either the db server in network A or the web server in network B.
I'd like to have a $RELAY macro so I can save the logs as
/LOGS/$RELAY/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$YEAR_$MONTH_$DAY
Where $RELAY is where the message came from (so with direct connections it would be the same as $HOST, but with a syslog-ng in relay mode you get the address/name of the relay host). Basically a "received from" field.
Is this functionality planned, or does it already exist (checked out the documentation but didn't see anything there).
Best regards Michael Boman Best regards Michael Boman
-- Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
participants (2)
-
Hamilton, Andrew
-
Michael Boman