[syslog-ng]Message forwarding problem

[Balazs Scheidler]

On Fri, Aug 02, 2002 at 11:16:01PM +0100, Dale Amon wrote:
> I've got the following situation:
> 
> 	Host A can talk to Host B
> 	Host B can talk to Host C
> 	Host A can NOT talk to Host C directly
> 	Host C is the master logger
> 
> So I'm trying to set up Host B to act as a forwarder. This
> "mostly" works:
> 
> HOST A:
> destination mylogger { tcp(<HOST B> port(1999) localport(999)); };
> filter all { level(info..err); };
> log { source(src); filter(all); destination(console_all); destination(mylogger); };
> 
> HOST B:
> source s_tcp { tcp(localip(<HOST B>) port(1999) max-connections(50)); };
> destination mylogger { tcp(<HOST C> port(1999) localport(999)); };
> filter all { level(info..err); };
> log { source(s_tcp); source(src); filter(all); destination(console_all); destination(mylogger); };
> 
> HOST C
> source s_tcp { tcp(localip(<HOST C>) port(1999) max-connections(50)); };
> destination logtest { file("/var/log/logtest.log" owner("root") group("adm") perm(0640)); };
> filter drop1 { not match ( " session opened|closed for user root|mail") and not match ("STATS: dropped 0"); };
> log { source(s_tcp); source(src); filter(drop1);  destination(logtest); };
> 
> The problem is, HOST B rewrites the message source to itself, so all messages from
> HOST A arriving at HOST C appear to have "occurred" on HOST B.

it's not exactly what happens. syslog-ng rewrites hostnames as it receives
messages, so the message indicates where the message came from. this
behaviour can be changed by the keep_hostname() option, or by using chained
hostnames.

I've summarized the use of these options several times, try to google the
archives:

google: +keep_hostname site:lists.balabit.hu

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1