[syslog-ng]relay host address changes source hosts ip in mess
age
Hamilton, Andrew
syslog-ng@lists.balabit.hu
Thu, 25 Mar 2004 15:06:27 -0500
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C412A4.A7E9458E
Content-Type: text/plain;
charset="iso-8859-1"
You need keep_hostname(yes) on both the relay host and the central host.
Regards,
Drew
-----Original Message-----
From: William Rude [mailto:wrude@gardrail.com]
Sent: Wednesday, March 24, 2004 3:20 PM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]relay host address changes source hosts ip in
message
Greetings,
I've been tasked to setup a syslog relay network from various pops to a
centralized syslog server for insert into a database.
The problem I'm running into is at the various pops, for example, lets call
the first one POP-A. At POP-A, I have syslog-ng version 1.6.0rc4 setup to
receive both udp and tcp syslog connections. It in turn, relays the syslog
messages to the central server. When I look at the incoming data on the
centralized server, the incoming data shows that the source host information
is being re-written with the relay hosts ip.
System stats are:
Solaris 8 intel
Syslog-ng 1.6.0rc4
POP-A configuration file follows:
options {
long_hostnames(off);
use_dns(no);
use_fqdn(no);
dns_cache(no);
check_hostname(yes);
keep_hostname(no);
chain_hostnames(no);
# On Solaris, log(3) truncates at 1024 chars
log_msg_size(8192);
# buffer just a little for performance
sync(0);
# memory is cheap, buffer messages unable to write (like to loghost)
log_fifo_size(10240);
# The time to wait before a dead connection is reestablished
(seconds)
time_reopen(10);
create_dirs(yes);
owner("root");
group("other");
perm(0600);
use_time_recvd(yes);
};
source src {
# This is the source of syslog.
# The default protocal port is 512
udp();
tcp(max-connections(1024));
};
source l_src {
# This is the source of syslog.
# This is internal messages on the local server
internal();
sun-streams("/dev/log");
# This is internal messages on the local server
};
destination syslogfile {
file(
"/var/log/syslogng/$HOST.log"
);
udp("1.1.1.1");
};
filter priorityfilter {
priority(debug,info,notice,warning,err,crit,alert,emerg);
};
###############################################################
log {
source(src);
source(l_src);
filter(priorityfilter);
destination(syslogfile);
};
------------------------------------------------------
------------------------------------------------------
------------------------------------------------------
Server syslog-ng configuration follows:
------------------------------------------------------
------------------------------------------------------
------------------------------------------------------
options {
long_hostnames(yes);
use_dns(no);
use_fqdn(no);
dns_cache(no);
# dns_cache_size(500);
# dns_cache_expire(3600);
# dns_cache_expire_failed(3600);
# check_hostname(yes);
keep_hostname(no);
chain_hostnames(no);
# On Solaris, log(3) truncates at 1024 chars
log_msg_size(8192);
# buffer just a little for performance
sync(0);
# memory is cheap, buffer messages unable to write (like to loghost)
log_fifo_size(10240);
# The time to wait before a dead connection is reestablished
(seconds)
time_reopen(10);
create_dirs(yes);
owner("root");
group("other");
perm(0640);
use_time_recvd(yes);
};
###############################################################
source src {
# This is the source of syslog.
# The default protocal port is 512
udp();
# This is internal messages on the local server
internal();
};
source l_src {
sun-stream("/dev/log" door("/etc/.syslog_door"));
internal();
};
destination syslogfile {
file(
"/var/log/syslogng/$YEAR_$MONTH_$DAY_$HOST.log"
);
};
destination program1 {
program(
/path/to/uber/syslog/program.pl
template
("ˇ$HOSTˇ$FACILITYˇ$PRIORITYˇ$LEVELˇ$TAGˇ$FULLDATEˇ$PROGRAMˇ$MSG\n")
template-escape(yes)
);
};
filter priorityfilter {
priority(debug,info,notice,warning,err,crit,alert,emerg);
};
filter dropsyslog {
not match("syslog-ng*");
};
###############################################################
log {
source(src);
filter(dropsyslog);
filter(priorityfilter);
destination(program1);
destination(syslogfile);
};
###############################################################
log {
source(l_src);
destination(program1);
destination(syslogfile);
};
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
------_=_NextPart_001_01C412A4.A7E9458E
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2655.72">
<TITLE>RE: [syslog-ng]relay host address changes source hosts ip in message</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>You need keep_hostname(yes) on both the relay host and the central host.</FONT>
</P>
<P><FONT SIZE=2>Regards,</FONT>
</P>
<P><FONT SIZE=2>Drew</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: William Rude [<A HREF="mailto:wrude@gardrail.com">mailto:wrude@gardrail.com</A>]</FONT>
<BR><FONT SIZE=2>Sent: Wednesday, March 24, 2004 3:20 PM</FONT>
<BR><FONT SIZE=2>To: syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=2>Subject: [syslog-ng]relay host address changes source hosts ip in</FONT>
<BR><FONT SIZE=2>message</FONT>
</P>
<BR>
<P><FONT SIZE=2>Greetings,</FONT>
</P>
<P><FONT SIZE=2>I've been tasked to setup a syslog relay network from various pops to a </FONT>
<BR><FONT SIZE=2>centralized syslog server for insert into a database.</FONT>
</P>
<P><FONT SIZE=2>The problem I'm running into is at the various pops, for example, lets call </FONT>
<BR><FONT SIZE=2>the first one POP-A. At POP-A, I have syslog-ng version 1.6.0rc4 setup to </FONT>
<BR><FONT SIZE=2>receive both udp and tcp syslog connections. It in turn, relays the syslog </FONT>
<BR><FONT SIZE=2>messages to the central server. When I look at the incoming data on the </FONT>
<BR><FONT SIZE=2>centralized server, the incoming data shows that the source host information </FONT>
<BR><FONT SIZE=2>is being re-written with the relay hosts ip. </FONT>
</P>
<P><FONT SIZE=2>System stats are:</FONT>
</P>
<P><FONT SIZE=2>Solaris 8 intel</FONT>
<BR><FONT SIZE=2>Syslog-ng 1.6.0rc4</FONT>
</P>
<P><FONT SIZE=2>POP-A configuration file follows:</FONT>
</P>
<P><FONT SIZE=2>options { </FONT>
<BR><FONT SIZE=2> long_hostnames(off); </FONT>
<BR><FONT SIZE=2> use_dns(no);</FONT>
<BR><FONT SIZE=2> use_fqdn(no);</FONT>
<BR><FONT SIZE=2> dns_cache(no);</FONT>
<BR><FONT SIZE=2> check_hostname(yes);</FONT>
<BR><FONT SIZE=2> keep_hostname(no);</FONT>
<BR><FONT SIZE=2> chain_hostnames(no);</FONT>
<BR><FONT SIZE=2> # On Solaris, log(3) truncates at 1024 chars</FONT>
<BR><FONT SIZE=2> log_msg_size(8192);</FONT>
<BR><FONT SIZE=2> # buffer just a little for performance</FONT>
<BR><FONT SIZE=2> sync(0); </FONT>
<BR><FONT SIZE=2> # memory is cheap, buffer messages unable to write (like to loghost)</FONT>
<BR><FONT SIZE=2> log_fifo_size(10240); </FONT>
<BR><FONT SIZE=2> # The time to wait before a dead connection is reestablished (seconds)</FONT>
<BR><FONT SIZE=2> time_reopen(10);</FONT>
<BR><FONT SIZE=2> create_dirs(yes);</FONT>
<BR><FONT SIZE=2> owner("root"); </FONT>
<BR><FONT SIZE=2> group("other"); </FONT>
<BR><FONT SIZE=2> perm(0600);</FONT>
<BR><FONT SIZE=2> use_time_recvd(yes); </FONT>
<BR><FONT SIZE=2>};</FONT>
</P>
<P><FONT SIZE=2>source src { </FONT>
<BR><FONT SIZE=2> # This is the source of syslog.</FONT>
<BR><FONT SIZE=2> # The default protocal port is 512</FONT>
<BR><FONT SIZE=2> udp();</FONT>
<BR><FONT SIZE=2> tcp(max-connections(1024));</FONT>
</P>
<P><FONT SIZE=2>};</FONT>
<BR><FONT SIZE=2>source l_src { </FONT>
<BR><FONT SIZE=2> # This is the source of syslog.</FONT>
<BR><FONT SIZE=2> # This is internal messages on the local server</FONT>
<BR><FONT SIZE=2> internal(); </FONT>
<BR><FONT SIZE=2> sun-streams("/dev/log");</FONT>
<BR><FONT SIZE=2> # This is internal messages on the local server</FONT>
<BR><FONT SIZE=2>};</FONT>
<BR><FONT SIZE=2>destination syslogfile {</FONT>
<BR><FONT SIZE=2> file(</FONT>
<BR><FONT SIZE=2> "/var/log/syslogng/$HOST.log"</FONT>
<BR><FONT SIZE=2> );</FONT>
<BR><FONT SIZE=2> udp("1.1.1.1"); </FONT>
<BR><FONT SIZE=2>};</FONT>
<BR><FONT SIZE=2>filter priorityfilter {</FONT>
<BR><FONT SIZE=2> priority(debug,info,notice,warning,err,crit,alert,emerg);</FONT>
<BR><FONT SIZE=2>};</FONT>
<BR><FONT SIZE=2>###############################################################</FONT>
<BR><FONT SIZE=2>log { </FONT>
<BR><FONT SIZE=2> source(src); </FONT>
<BR><FONT SIZE=2> source(l_src);</FONT>
<BR><FONT SIZE=2> filter(priorityfilter);</FONT>
<BR><FONT SIZE=2> destination(syslogfile);</FONT>
<BR><FONT SIZE=2>};</FONT>
</P>
<BR>
<P><FONT SIZE=2>------------------------------------------------------</FONT>
<BR><FONT SIZE=2>------------------------------------------------------</FONT>
<BR><FONT SIZE=2>------------------------------------------------------</FONT>
<BR><FONT SIZE=2>Server syslog-ng configuration follows:</FONT>
<BR><FONT SIZE=2>------------------------------------------------------</FONT>
<BR><FONT SIZE=2>------------------------------------------------------</FONT>
<BR><FONT SIZE=2>------------------------------------------------------</FONT>
</P>
<P><FONT SIZE=2>options { </FONT>
<BR><FONT SIZE=2> long_hostnames(yes); </FONT>
<BR><FONT SIZE=2> use_dns(no);</FONT>
<BR><FONT SIZE=2> use_fqdn(no);</FONT>
<BR><FONT SIZE=2> dns_cache(no);</FONT>
<BR><FONT SIZE=2># dns_cache_size(500);</FONT>
<BR><FONT SIZE=2># dns_cache_expire(3600);</FONT>
<BR><FONT SIZE=2># dns_cache_expire_failed(3600);</FONT>
<BR><FONT SIZE=2># check_hostname(yes);</FONT>
<BR><FONT SIZE=2> keep_hostname(no);</FONT>
<BR><FONT SIZE=2> chain_hostnames(no);</FONT>
<BR><FONT SIZE=2> # On Solaris, log(3) truncates at 1024 chars</FONT>
<BR><FONT SIZE=2> log_msg_size(8192);</FONT>
<BR><FONT SIZE=2> # buffer just a little for performance</FONT>
<BR><FONT SIZE=2> sync(0); </FONT>
<BR><FONT SIZE=2> # memory is cheap, buffer messages unable to write (like to loghost)</FONT>
<BR><FONT SIZE=2> log_fifo_size(10240); </FONT>
<BR><FONT SIZE=2> # The time to wait before a dead connection is reestablished (seconds)</FONT>
<BR><FONT SIZE=2> time_reopen(10);</FONT>
<BR><FONT SIZE=2> create_dirs(yes);</FONT>
<BR><FONT SIZE=2> owner("root"); </FONT>
<BR><FONT SIZE=2> group("other"); </FONT>
<BR><FONT SIZE=2> perm(0640);</FONT>
<BR><FONT SIZE=2> use_time_recvd(yes); </FONT>
<BR><FONT SIZE=2>};</FONT>
<BR><FONT SIZE=2>###############################################################</FONT>
<BR><FONT SIZE=2>source src { </FONT>
<BR><FONT SIZE=2> # This is the source of syslog.</FONT>
<BR><FONT SIZE=2> # The default protocal port is 512</FONT>
<BR><FONT SIZE=2> udp();</FONT>
<BR><FONT SIZE=2> # This is internal messages on the local server</FONT>
<BR><FONT SIZE=2> internal(); </FONT>
<BR><FONT SIZE=2>};</FONT>
</P>
<P><FONT SIZE=2>source l_src {</FONT>
<BR><FONT SIZE=2> sun-stream("/dev/log" door("/etc/.syslog_door"));</FONT>
<BR><FONT SIZE=2> internal();</FONT>
<BR><FONT SIZE=2>};</FONT>
</P>
<P><FONT SIZE=2>destination syslogfile { </FONT>
<BR><FONT SIZE=2> file(</FONT>
<BR><FONT SIZE=2> "/var/log/syslogng/$YEAR_$MONTH_$DAY_$HOST.log" </FONT>
<BR><FONT SIZE=2> );</FONT>
</P>
<P><FONT SIZE=2>};</FONT>
</P>
<P><FONT SIZE=2>destination program1 {</FONT>
<BR><FONT SIZE=2> program( </FONT>
<BR><FONT SIZE=2> /path/to/uber/syslog/program.pl</FONT>
<BR><FONT SIZE=2> template</FONT>
<BR><FONT SIZE=2>("ˇ$HOSTˇ$FACILITYˇ$PRIORITYˇ$LEVELˇ$TAGˇ$FULLDATEˇ$PROGRAMˇ$MSG\n")</FONT>
<BR><FONT SIZE=2> template-escape(yes)</FONT>
<BR><FONT SIZE=2> );</FONT>
<BR><FONT SIZE=2>};</FONT>
</P>
<P><FONT SIZE=2>filter priorityfilter {</FONT>
<BR><FONT SIZE=2> priority(debug,info,notice,warning,err,crit,alert,emerg);</FONT>
<BR><FONT SIZE=2>};</FONT>
<BR><FONT SIZE=2>filter dropsyslog { </FONT>
<BR><FONT SIZE=2> not match("syslog-ng*"); </FONT>
<BR><FONT SIZE=2>};</FONT>
<BR><FONT SIZE=2>###############################################################</FONT>
<BR><FONT SIZE=2>log { </FONT>
<BR><FONT SIZE=2> source(src); </FONT>
<BR><FONT SIZE=2> filter(dropsyslog);</FONT>
<BR><FONT SIZE=2> filter(priorityfilter);</FONT>
<BR><FONT SIZE=2> destination(program1); </FONT>
<BR><FONT SIZE=2> destination(syslogfile); </FONT>
<BR><FONT SIZE=2>};</FONT>
<BR><FONT SIZE=2>###############################################################</FONT>
<BR><FONT SIZE=2>log {</FONT>
<BR><FONT SIZE=2> source(l_src);</FONT>
<BR><FONT SIZE=2> destination(program1);</FONT>
<BR><FONT SIZE=2> destination(syslogfile);</FONT>
<BR><FONT SIZE=2>};</FONT>
</P>
<BR>
<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>syslog-ng maillist - syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=2><A HREF="https://lists.balabit.hu/mailman/listinfo/syslog-ng" TARGET="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A></FONT>
<BR><FONT SIZE=2>Frequently asked questions at <A HREF="http://www.campin.net/syslog-ng/faq.html" TARGET="_blank">http://www.campin.net/syslog-ng/faq.html</A></FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C412A4.A7E9458E--