[syslog-ng]syslog-ng & BSD Relay Host

[Philip Webster]

Hello,

I'm having some trouble with a BSD relay host, and wonder if anyone out 
there may have a solution.  The relay picks up messages from routers, 
switches, PIXes, etc and sends them via UDP (standard syslog daemon) to 
a central syslog-ng host.  The messages 'on the wire' look like this 
(tcpdump output):

Forwarded from host.domain: Oct 27 2003 09:43:47: %PIX-4-106023: Msg ...

So the hostname in the syslog message is 'Forwarded from host.domain'. 
This appears to be interpreted by syslog-ng as 'Forwarded', which 
adheres (as it should) to RFC 3164.

I'm splitting up the logs based on hostname, so I'd like to be able to 
log to a file named after the host which sent the log.  So far all of my 
playing around with options has resulted in either:

1) logs go to a file named relayhost with the entry:

relayhost from host.domain: Oct 27 2003 09:43:47: %PIX-4-106023: Message

so this is just the message on with wire with the 'relayhost' in place 
of 'Forwarded',

2) logs go to a file named 'Forwarded' with the entry:

Forwarded from host.domain: Oct 27 2003 09:43:47: %PIX-4-106023: Message

so the word 'Forwarded' is taken to be the hostname, or

3) logs go to a file named 'Forwarded' with the entry:

Forwarded/relayhost from host.domain: Oct 27 2003 09:43:47: 
%PIX-4-106023: Message

so the hostname still appears to be 'Forwarded', but the chaining 
options also show the relay host.

What I would like is to have the logs placed in a file named after the 
original sender (host.domain in the tcpdump output above).  Is this 
possible?  All my attempts have relied around using global options and 
file templates - I haven't looked at using filters yet, so maybe this is 
what I need to do.

This appears to be a BSD problem, as it modifies the actual message 
before relaying it on, but I cannot find an option to stop BSD syslog 
from doing this.

Any thoughts?

Thanks
Phil