[syslog-ng] syslog-ng & forwarding
Balazs Scheidler
bazsi@balabit.hu
Wed, 8 Mar 2000 14:38:11 +0100
> I am using syslog-ng 1.4.0rc3 at this time (I do have 1.4.0 but haven't
> implemented it yet), on Solaris 7 from a Sun SPARC machine. I am trying to
> forward my logs from one machine through another and log them on a third
> machine. There is a reason I do this and it is necessary that I do it this
> way. However, my question is this:
I assume your logs are transferred to a loghost behind a chain of firewalls.
> How do I keep it from putting the middle machine's hostname on it?
>
> I assumed that chain_hostnames(no) option would do it but it doesn't work
> the way I would have expected. When I used chain_hostnames(no) I got
> something like:
>
> "Mar 8 08:35:41 mhost host hamilton: Testing..."
Why is there 3 names? there should be only "mhost hamilton: testing..."
>
> When I used chain_hostnames(yes) I got something like:
>
> "Mar 8 08:38:17 mhost host/host hamilton: Testing..."
>
> Any ideas? Or is this just not possible?
Are all your hosts using syslog-ng, or some of them use the native syslogd?
The proper behaviour is:
1) chain_hostnames(off)
the hostname the message was received from is put in the hostname part of
the message (if it contained one it is replaced) so on your inner loghost
you'll find the name of your last hop.
2) chain_hostnames(on)
hostnames are chained, which means that on each hop the hostname the
message was received from is appended to the chain. The first hostname is
the originator. So a hostname like this:
bzorp/bzorp/balabit
means, that the message was generated on bzorp, was received from bzorp to
balabit, and it was received from balabit at its final destination.
A keep_hostname() option would be a useful addition, but it's not
implemented yet.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
url: http://www.balabit.hu/pgpkey.txt