[syslog-ng] rhost field

ken.schweiker at faa.gov ken.schweiker at faa.gov
Wed Dec 28 19:45:26 CET 2005

I guess I asked the wrong question. We're not supplying data for the the
rhost field so there wouldn't be any present in my previous example. Thank
you for pointing that out.

But, my question would be more correctly stated as how do I distinguish the
log data, from multiple hosts, feeding into a central syslog-ng server? I'm
missing something obvious, since there is not an IP address to identify the

I am logging everything based on source udp514 into a seperate file.

options { keep_hostname(no); use_dns(no); sync(0); };\

source rmt_udp { udp(ip("") port(514)); };
destination d_all { file("/var/log/all.log"); };
log { source(rmt_udp); destination(d_all); };

On Wed, 2005-12-28 at 10:28 -0500, ken.schweiker at faa.gov wrote:
> I hope someone can answer a few basic questions to help with my
> described problem. Since I have not used syslog before....
> Is the rhost field where I should see some value? specifically the
> originating ip address of the msg.?
>       my field is blank.
> Does anyone else use the version 1.6.2. and not have this problem?

Uh huh, you mean the rhost field _inside_ the message part?

Dec 23 17:50:12 suselog/suselog su(pam_unix)[13205]: authentication
failure; logname=syss555 uid=500 euid=0 tty=pts/4 ruser=syss555 rhost=

In this case this has nothing to do with syslog-ng as it never touches
the message itself (e.g. anything after the hostname in the header
suselog/suselog in the case above)

syslog-ng maillist  -  syslog-ng at lists.balabit.hu
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list