Stripping the original hostname /ip from the syslog message
Hi, We have a setup where multiple syslog-ng servers send logs to a central syslog-ng server. Finally this central syslog-ng server sends the consolidated logs to an outside server. The outside server can be any server accepting standard syslog messages. The first group of servers are running in the internal network and don't have any hostname associated with them. Also the ip address is internal and does not make sense to outside world. My requirement is that the outside server should only see the ip address of the syslog-ng server which consolidates the messages from these syslog-ng servers. But I always see the ip address of the syslog-ng server which originated the message. Is there anyway to get rid of this? I tried playing with the keep_hostname, long_hostname, chain_hostname and bad_hostname options but I still see the ip address of the originating server. Thanks in advance for the help. -Shashank
Any ideas on this? Is there any way I can use the filters to solve this problem? -Thanks ________________________________ From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Shashank Vinchurkar Sent: Friday, May 29, 2009 2:54 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Stripping the original hostname /ip from the syslogmessage Hi, We have a setup where multiple syslog-ng servers send logs to a central syslog-ng server. Finally this central syslog-ng server sends the consolidated logs to an outside server. The outside server can be any server accepting standard syslog messages. The first group of servers are running in the internal network and don't have any hostname associated with them. Also the ip address is internal and does not make sense to outside world. My requirement is that the outside server should only see the ip address of the syslog-ng server which consolidates the messages from these syslog-ng servers. But I always see the ip address of the syslog-ng server which originated the message. Is there anyway to get rid of this? I tried playing with the keep_hostname, long_hostname, chain_hostname and bad_hostname options but I still see the ip address of the originating server. Thanks in advance for the help. -Shashank
Hi, I am sure that there are other ways to do it, but if you are using syslog-ng 3.0, you can use a rewrite rule to change the HOST field of the messages. See the second example at http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s07.ht... to create a rewrite rule, then use it in the logpath where your central server forwards the messages. Regards, Robert Fekete Shashank Vinchurkar wrote:
Any ideas on this? Is there any way I can use the filters to solve this problem?
-Thanks
________________________________
From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Shashank Vinchurkar Sent: Friday, May 29, 2009 2:54 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Stripping the original hostname /ip from the syslogmessage
Hi,
We have a setup where multiple syslog-ng servers send logs to a central syslog-ng server. Finally this central syslog-ng server sends the consolidated logs to an outside server. The outside server can be any server accepting standard syslog messages. The first group of servers are running in the internal network and don't have any hostname associated with them. Also the ip address is internal and does not make sense to outside world. My requirement is that the outside server should only see the ip address of the syslog-ng server which consolidates the messages from these syslog-ng servers. But I always see the ip address of the syslog-ng server which originated the message. Is there anyway to get rid of this? I tried playing with the keep_hostname, long_hostname, chain_hostname and bad_hostname options but I still see the ip address of the originating server.
Thanks in advance for the help.
-Shashank
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi, Thanks for the suggestion. It worked for me. Regards, -Shashank -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Robert Fekete Sent: Wednesday, June 03, 2009 1:22 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Stripping the original hostname /ip from the syslog message Hi, I am sure that there are other ways to do it, but if you are using syslog-ng 3.0, you can use a rewrite rule to change the HOST field of the messages. See the second example at http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s0 7.html to create a rewrite rule, then use it in the logpath where your central server forwards the messages. Regards, Robert Fekete Shashank Vinchurkar wrote:
Any ideas on this? Is there any way I can use the filters to solve this problem?
-Thanks
________________________________
From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Shashank Vinchurkar Sent: Friday, May 29, 2009 2:54 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Stripping the original hostname /ip from the syslogmessage
Hi,
We have a setup where multiple syslog-ng servers send logs to a central syslog-ng server. Finally this central syslog-ng server sends the consolidated logs to an outside server. The outside server can be any server accepting standard syslog messages. The first group of servers are running in the internal network and don't have any hostname associated with them. Also the ip address is internal and does not make sense to outside world. My requirement is that the outside server should only see the ip address of the syslog-ng server which consolidates the messages from these syslog-ng servers. But I always see the ip address of the syslog-ng server which originated the message. Is there anyway to get rid of this? I tried playing with the keep_hostname, long_hostname, chain_hostname and bad_hostname options but I still see the ip address of the originating server.
Thanks in advance for the help.
-Shashank
------------------------------------------------------------------------
________________________________________________________________________ ______
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
________________________________________________________________________ ______ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi, On Tue, 2009-06-09 at 11:07 -0700, Shashank Vinchurkar wrote:
Hi,
Thanks for the suggestion. It worked for me.
Could you post your example configuration? It could help someone browsing the mailing list archives in the future. Thanks. -- Bazsi
On Fri, 2009-05-29 at 14:54 -0700, Shashank Vinchurkar wrote:
Hi,
We have a setup where multiple syslog-ng servers send logs to a central syslog-ng server. Finally this central syslog-ng server sends the consolidated logs to an outside server. The outside server can be any server accepting standard syslog messages. The first group of servers are running in the internal network and don’t have any hostname associated with them. Also the ip address is internal and does not make sense to outside world. My requirement is that the outside server should only see the ip address of the syslog-ng server which consolidates the messages from these syslog-ng servers. But I always see the ip address of the syslog-ng server which originated the message. Is there anyway to get rid of this? I tried playing with the keep_hostname, long_hostname, chain_hostname and bad_hostname options but I still see the ip address of the originating server.
syslog-ng tries hard to keep that information, so that's the default behaviour. if you turn off keep_hostname() syslog-ng will try to resolve the IP address of the host sending the message. if you want to change it, you need to use the rewrite feature that Robert has suggested. -- Bazsi
participants (3)
-
Balazs Scheidler
-
Robert Fekete
-
Shashank Vinchurkar