[syslog-ng]relay host address changes source hosts ip in message

William Rude syslog-ng@lists.balabit.hu
Wed, 24 Mar 2004 15:20:05 -0500


Greetings,

I've been tasked to setup a syslog relay network from various pops to a 
centralized syslog server for insert into a database.

The problem I'm running into is at the various pops, for example, lets call 
the first one POP-A.  At POP-A, I have syslog-ng version 1.6.0rc4 setup to 
receive both udp and tcp syslog connections.  It in turn, relays the syslog 
messages to the central server.  When I look at the incoming data on the 
centralized server, the incoming data shows that the source host information 
is being re-written with the relay hosts ip. 

System stats are:

Solaris 8 intel
Syslog-ng 1.6.0rc4

POP-A configuration file follows:

options { 
        long_hostnames(off); 
        use_dns(no);
        use_fqdn(no);
        dns_cache(no);
        check_hostname(yes);
        keep_hostname(no);
        chain_hostnames(no);
        # On Solaris, log(3) truncates at 1024 chars
        log_msg_size(8192);
        # buffer just a little for performance
        sync(0); 
        # memory is cheap, buffer messages unable to write (like to loghost)
        log_fifo_size(10240); 
        # The time to wait before a dead connection is reestablished (seconds)
        time_reopen(10);
        create_dirs(yes);
        owner("root"); 
        group("other"); 
        perm(0600);
        use_time_recvd(yes); 
};

source src { 
        # This is the source of syslog.
        # The default protocal port is 512
        udp();
        tcp(max-connections(1024));

};
source l_src { 
        # This is the source of syslog.
        # This is internal messages on the local server
        internal(); 
        sun-streams("/dev/log");
        # This is internal messages on the local server
};
destination syslogfile {
       file(
                "/var/log/syslogng/$HOST.log"
        );
        udp("1.1.1.1");             
};
filter priorityfilter {
        priority(debug,info,notice,warning,err,crit,alert,emerg);
};
###############################################################
log { 
        source(src); 
        source(l_src);
        filter(priorityfilter);
        destination(syslogfile);
};


------------------------------------------------------
------------------------------------------------------
------------------------------------------------------
Server syslog-ng configuration follows:
------------------------------------------------------
------------------------------------------------------
------------------------------------------------------

options { 
        long_hostnames(yes); 
        use_dns(no);
        use_fqdn(no);
        dns_cache(no);
#       dns_cache_size(500);
#       dns_cache_expire(3600);
#       dns_cache_expire_failed(3600);
#       check_hostname(yes);
        keep_hostname(no);
        chain_hostnames(no);
        # On Solaris, log(3) truncates at 1024 chars
        log_msg_size(8192);
        # buffer just a little for performance
        sync(0); 
        # memory is cheap, buffer messages unable to write (like to loghost)
        log_fifo_size(10240); 
        # The time to wait before a dead connection is reestablished (seconds)
        time_reopen(10);
        create_dirs(yes);
        owner("root"); 
        group("other"); 
        perm(0640);
        use_time_recvd(yes); 
};
###############################################################
source src { 
        # This is the source of syslog.
        # The default protocal port is 512
        udp();
        # This is internal messages on the local server
        internal(); 
};

source l_src {
        sun-stream("/dev/log" door("/etc/.syslog_door"));
        internal();
};

destination syslogfile { 
       file(
                "/var/log/syslogng/$YEAR_$MONTH_$DAY_$HOST.log"       
        );

};

destination program1 {
        program( 
                /path/to/uber/syslog/program.pl
                template
("ˇ$HOSTˇ$FACILITYˇ$PRIORITYˇ$LEVELˇ$TAGˇ$FULLDATEˇ$PROGRAMˇ$MSG\n")
                template-escape(yes)
        );
};

filter priorityfilter {
        priority(debug,info,notice,warning,err,crit,alert,emerg);
};
filter dropsyslog { 
        not match("syslog-ng*"); 
};
###############################################################
log { 
        source(src); 
        filter(dropsyslog);
        filter(priorityfilter);
        destination(program1); 
        destination(syslogfile); 
};
###############################################################
log {
        source(l_src);
        destination(program1);
        destination(syslogfile);
};