[syslog-ng]UDP Source removal
Aaron Jackson
syslog-ng@lists.balabit.hu
Tue, 22 Jul 2003 17:34:22 -0400
All hops along the way need to be syslog-ng. Don't mix syslog and
syslog-ng if you want the original sender.
On Tuesday, July 22, 2003, at 05:25 PM, Tom Oele wrote:
> First off, thanks for the syslog-ng effort. :-)
>
> Setting up a "middle-man" syslog forwarder for multiple IDS devices.
> The
> issue I'm having is that I need to keep the originating device IP
> through
> this forwarder. The original message is old syslog to syslog-ng then
> off
> again to a correlation host with a syslogd listener.
>
> The correlation host needs those messages in their original form
> instead
> of with the middle mans IP attached.
>
> IDS1(syslog)----->Middle Host(syslog-ng)------>Correlation(syslogd -r)
> ^
> |
> IDS2(syslog)---------
>
> So the correlation host obviously is taking the UDP source from the
> middle
> man and appending it to the beginning of the message. Have tried using
> keep_hostname() with no avail.
>
> Current options are the following:
>
> options
> {
> sync(0);
> log_fifo_size(1000);
> use_dns(no);
> use_fqdn(no);
> create_dirs(no);
> keep_hostname(yes);
> chain_hostnames(no);
> };
>
>
> Am I missing something here? Ideas?
>
> Thnx,
> T
>
> --
> Neohapsis, Inc.
> Thomas Oele - Network Security Consultant
> 414.289.0966 Milwaukee
> 773.394.8310 Chicago
> www.Neohapsis.com
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html