[syslog-ng]relay host address changes source hosts ip in message
William Rude
syslog-ng@lists.balabit.hu
Wed, 24 Mar 2004 15:20:05 -0500
Greetings,
I've been tasked to setup a syslog relay network from various pops to a
centralized syslog server for insert into a database.
The problem I'm running into is at the various pops, for example, lets call
the first one POP-A. At POP-A, I have syslog-ng version 1.6.0rc4 setup to
receive both udp and tcp syslog connections. It in turn, relays the syslog
messages to the central server. When I look at the incoming data on the
centralized server, the incoming data shows that the source host information
is being re-written with the relay hosts ip.
System stats are:
Solaris 8 intel
Syslog-ng 1.6.0rc4
POP-A configuration file follows:
options {
long_hostnames(off);
use_dns(no);
use_fqdn(no);
dns_cache(no);
check_hostname(yes);
keep_hostname(no);
chain_hostnames(no);
# On Solaris, log(3) truncates at 1024 chars
log_msg_size(8192);
# buffer just a little for performance
sync(0);
# memory is cheap, buffer messages unable to write (like to loghost)
log_fifo_size(10240);
# The time to wait before a dead connection is reestablished (seconds)
time_reopen(10);
create_dirs(yes);
owner("root");
group("other");
perm(0600);
use_time_recvd(yes);
};
source src {
# This is the source of syslog.
# The default protocal port is 512
udp();
tcp(max-connections(1024));
};
source l_src {
# This is the source of syslog.
# This is internal messages on the local server
internal();
sun-streams("/dev/log");
# This is internal messages on the local server
};
destination syslogfile {
file(
"/var/log/syslogng/$HOST.log"
);
udp("1.1.1.1");
};
filter priorityfilter {
priority(debug,info,notice,warning,err,crit,alert,emerg);
};
###############################################################
log {
source(src);
source(l_src);
filter(priorityfilter);
destination(syslogfile);
};
------------------------------------------------------
------------------------------------------------------
------------------------------------------------------
Server syslog-ng configuration follows:
------------------------------------------------------
------------------------------------------------------
------------------------------------------------------
options {
long_hostnames(yes);
use_dns(no);
use_fqdn(no);
dns_cache(no);
# dns_cache_size(500);
# dns_cache_expire(3600);
# dns_cache_expire_failed(3600);
# check_hostname(yes);
keep_hostname(no);
chain_hostnames(no);
# On Solaris, log(3) truncates at 1024 chars
log_msg_size(8192);
# buffer just a little for performance
sync(0);
# memory is cheap, buffer messages unable to write (like to loghost)
log_fifo_size(10240);
# The time to wait before a dead connection is reestablished (seconds)
time_reopen(10);
create_dirs(yes);
owner("root");
group("other");
perm(0640);
use_time_recvd(yes);
};
###############################################################
source src {
# This is the source of syslog.
# The default protocal port is 512
udp();
# This is internal messages on the local server
internal();
};
source l_src {
sun-stream("/dev/log" door("/etc/.syslog_door"));
internal();
};
destination syslogfile {
file(
"/var/log/syslogng/$YEAR_$MONTH_$DAY_$HOST.log"
);
};
destination program1 {
program(
/path/to/uber/syslog/program.pl
template
("ˇ$HOSTˇ$FACILITYˇ$PRIORITYˇ$LEVELˇ$TAGˇ$FULLDATEˇ$PROGRAMˇ$MSG\n")
template-escape(yes)
);
};
filter priorityfilter {
priority(debug,info,notice,warning,err,crit,alert,emerg);
};
filter dropsyslog {
not match("syslog-ng*");
};
###############################################################
log {
source(src);
filter(dropsyslog);
filter(priorityfilter);
destination(program1);
destination(syslogfile);
};
###############################################################
log {
source(l_src);
destination(program1);
destination(syslogfile);
};