[syslog-ng] syslog-ng & forwarding
Hamilton, Andrew Mr.
Wed, 8 Mar 2000 15:00:09 +0100
> > I am using syslog-ng 1.4.0rc3 at this time (I do have 1.4.0 but haven't
> > implemented it yet), on Solaris 7 from a Sun SPARC machine. I am trying
> > forward my logs from one machine through another and log them on a third
> > machine. There is a reason I do this and it is necessary that I do it
> > way. However, my question is this:
> I assume your logs are transferred to a loghost behind a chain of
[Hamilton, Andrew] Yes they are.
> > How do I keep it from putting the middle machine's hostname on it?
> > I assumed that chain_hostnames(no) option would do it but it doesn't
> > the way I would have expected. When I used chain_hostnames(no) I got
> > something like:
> > "Mar 8 08:35:41 mhost host hamilton: Testing..."
> Why is there 3 names? there should be only "mhost hamilton: testing..."
[Hamilton, Andrew] The final destination is using regular syslogd
which it won't when I am done testing.
> > When I used chain_hostnames(yes) I got something like:
> > "Mar 8 08:38:17 mhost host/host hamilton: Testing..."
> > Any ideas? Or is this just not possible?
> Are all your hosts using syslog-ng, or some of them use the native
[Hamilton, Andrew] Yes the last one is using syslogd until I get
done testing. They will all use syslog-ng when I am done.
> The proper behaviour is:
> 1) chain_hostnames(off)
> the hostname the message was received from is put in the hostname part
> the message (if it contained one it is replaced) so on your inner
> you'll find the name of your last hop.
> 2) chain_hostnames(on)
> hostnames are chained, which means that on each hop the hostname the
> message was received from is appended to the chain. The first hostname
> the originator. So a hostname like this:
[Hamilton, Andrew] That is the behavior I expected but didn't quite
get. It just didn't dawn on me that the syslogd would add another hostname.
> means, that the message was generated on bzorp, was received from bzorp
> balabit, and it was received from balabit at its final destination.
> A keep_hostname() option would be a useful addition, but it's not
> implemented yet.
[Hamilton, Andrew] That would be useful and thanks for the prompt