[syslog-ng]Interpretting Relayed Messages

[Keith Resar]

In my current syslog setup, some messages are transferred
periodically via mail to the central syslog machine, at which time
they are formatted into proper syslog packets, then delivered via
UDP to the syslog-ng process on the local machine.

This setup works well considering the limitations of the network[1],
but for the hostname field of the syslog packet, and how syslog-ng
process this.

The message sent to syslog-ng contains the hostname of the original
machine (remote) only.  After syslog-ng on the local machine (local)
processes the message, the hostname field contains "remote/local".

I understand why this change was made and accept it.  However, the
problem comes when syslog-ng filters this message by host, and the
message matches for "local".

When writing the message to a file destination, it is stored in the
proper directory[2], so syslog-ng clearly understands that the host
"remote" generated the message and it was relayed through "local".

Any ideas how to avoid this?  I understand that there is a
configuration command which allows a message to match only one log
field, but my messages must be directly both to a SWATCH process and
to a file destination.  I'd also prefer to rule out complex filter
rules which include "remote" and exclude "local" [3].

Since $HOST expands correctly, is it possible to write a filter rule
like:  filter myFilter { "remote" == $HOST;}?


Thanks,
Keith Resar.


1: There is no way for the machine that generates the messages to
connect to the central log host, unless I rig something up using
stunnel, etc.  I'm not interested in tackling this problem.

2: Since the message was generated by the machine "remote", $HOST
expands to remote.

3: Something like:  
	filter myFilter { host{"remote"} and !host("local"); }
Assuming that this syntax is even valid.

--