[syslog-ng]UDP Source removal
Tom Oele
syslog-ng@lists.balabit.hu
Tue, 22 Jul 2003 16:25:44 -0500 (CDT)
First off, thanks for the syslog-ng effort. :-)
Setting up a "middle-man" syslog forwarder for multiple IDS devices. The
issue I'm having is that I need to keep the originating device IP through
this forwarder. The original message is old syslog to syslog-ng then off
again to a correlation host with a syslogd listener.
The correlation host needs those messages in their original form instead
of with the middle mans IP attached.
IDS1(syslog)----->Middle Host(syslog-ng)------>Correlation(syslogd -r)
^
|
IDS2(syslog)---------
So the correlation host obviously is taking the UDP source from the middle
man and appending it to the beginning of the message. Have tried using
keep_hostname() with no avail.
Current options are the following:
options
{
sync(0);
log_fifo_size(1000);
use_dns(no);
use_fqdn(no);
create_dirs(no);
keep_hostname(yes);
chain_hostnames(no);
};
Am I missing something here? Ideas?
Thnx,
T
--
Neohapsis, Inc.
Thomas Oele - Network Security Consultant
414.289.0966 Milwaukee
773.394.8310 Chicago
www.Neohapsis.com