[syslog-ng]re-writing hostnames before sending over TCP

Thomas Morin syslog-ng@lists.balabit.hu
Wed, 29 Oct 2003 09:43:23 +0100


Quote nate <syslog-ng@aphroland.org>:
 | 
 | I am tryin to configure a semi-secure syslog setup. The primary
 | program that will be logging to it is java via log4j. log4j apparently
 | cannot log to a socket with syslog(as far as I can tell?) only to
 | a udp source, so I configured syslog-ng to bind to 127.0.0.1 on
 | port 514 tcp/udp and it recives the messages fine but the 'host'
 | that is being logged is localhost. I can re-write the log entries
 | using a template for local files but I can't seem to get it workin
 | for sending to a remote syslog server. No matter what options I
 | use it always ends up either localhost or 127.0.0.1 for the hostname.
 | One thing I haven't tried is setting up a filter on the remote server
 | using the host() option but I don't think it would work because the
 | host there would be localhost too not the host of the server sending
 | the message ?

As far as I know, log4j doesn't provide a hostname in the messages it sends
(that is, except if you change the conversion pattern of the log4j syslog
appender).

I believe that syslog-ng, when no hostname is provided in the message itself,
creates a hostname by re(ver)solving the IP. Perhaps 127.0.0.1 (source IP of
the message) is just resolving back to plain 'localhost' and this is what
your syslog-ng logs. In this case you could just tweak your /etc/hosts to make
127.0.0.1 resolve back to the hostname you want instead of localhost.

Otherwise, you may try to adapt the conversion pattern of the log4j syslog
appender to include the hostname, but you may end up in a situation where you
have to make some java code to generate the conversion pattern (there is no
%"something" that gives the hostname...).

-Thomas