[syslog-ng] syslog-ng & forwarding

Hamilton, Andrew Mr. HamiltonA@hq.5sigcmd.army.mil
Wed, 8 Mar 2000 15:00:09 +0100 

> > I am using syslog-ng 1.4.0rc3 at this time (I do have 1.4.0 but haven't
> > implemented it yet), on Solaris 7 from a Sun SPARC machine.  I am trying
> to
> > forward my logs from one machine through another and log them on a third
> > machine.  There is a reason I do this and it is necessary that I do it
> this
> > way.  However, my question is this:
> 
> I assume your logs are transferred to a loghost behind a chain of
> firewalls.
	[Hamilton, Andrew]  Yes they are.
>  
> > How do I keep it from putting the middle machine's hostname on it?
> > 
> > I assumed that chain_hostnames(no) option would do it but it doesn't
> work
> > the way I would have expected.  When I used chain_hostnames(no) I got
> > something like:
> > 
> > "Mar  8 08:35:41 mhost host hamilton: Testing..."
> 
> Why is there 3 names? there should be only "mhost hamilton: testing..."
	[Hamilton, Andrew]  The final destination is using regular syslogd
which it won't when I am done testing.
>  
> > 
> > When I used chain_hostnames(yes) I got something like:
> > 
> > "Mar  8 08:38:17 mhost host/host hamilton: Testing..."
> > 
> > Any ideas?  Or is this just not possible?
> 
> Are all your hosts using syslog-ng, or some of them use the native
> syslogd?
	[Hamilton, Andrew]  Yes the last one is using syslogd until I get
done testing.  They will all use syslog-ng when I am done.
>  
> The proper behaviour is:
> 
> 1) chain_hostnames(off)
>    the hostname the message was received from is put in the hostname part
> of
>    the message (if it contained one it is replaced) so on your inner
> loghost
>    you'll find the name of your last hop.
> 2) chain_hostnames(on)
>    hostnames are chained, which means that on each hop the hostname the
>    message was received from is appended to the chain. The first hostname
> is
>    the originator. So a hostname like this:
>       bzorp/bzorp/balabit
> 
> 
	[Hamilton, Andrew]  That is the behavior I expected but didn't quite
get.  It just didn't dawn on me that the syslogd would add another hostname.

>    means, that the message was generated on bzorp, was received from bzorp
> to
>    balabit, and it was received from balabit at its final destination.
> 
> A keep_hostname() option would be a useful addition, but it's not
> implemented yet.
> 
	[Hamilton, Andrew]  That would be useful and thanks for the prompt
response.

	Drew