[syslog-ng] Remote hosts logging as loopback, not hostname

Rob Munsch rmunsch at solutionsforprogress.com
Mon Mar 13 22:03:34 CET 2006 

That's what i thought, and did from the start... No joy.  Sorry.  i 
should have been more explicit about that.  just to be safe, i'd enabled 
keep_hostname on client and server.  No effect.

After that, i fiddled with various permutations of chain_hostnames on 
and off on client and/or server; since the $HOST macro expands to name 
of the originating host, as explicitly stated in the reference manual.  
nothing.  aargh... then, since it was very late on Friday, i went home :).

is there anything i could be doing with stunnel to mangle this process..?
I have syslog dumping the remote messages to a plaintext file, and there 
too hosts show as loopback.  Did this to see if maybe i was just 
screwing up the MySQL side of things; don't seem to be.

So here's what the client, randomaccess, logs/dumps to a text file:

    randomaccess auth info info 26 2006-03-13T15:52:15-0500 su(pam_unix)
    su(pam_unix)[9942]: session opened for user root by (uid=500)

now here's the funny part.  here's a sample line, on the server, of 
what's coming over.  Isis is the server, randomaccess is the remote 
client, they both are using the same template...

but this same line on isis looks like:

    127.0.0.1 user notice notice 0d 2006-03-13T15:52:55-0500
    randomaccess randomaccess auth info info 26 2006-03-13T15:52:15-0500
    su(pam_unix) su(pam_unix)[9942]: session opened for user root by
    (uid=500)

How is the info getting scrambled around?  Both files are using 
identical template statements, which is

    template("$HOST $FACILITY $PRIORITY $LEVEL $TAG $ISODATE $PROGRAM
    $MSG\n")

and on the client it seems pretty clear.  by the time we hit the server, 
however, it seems to think loopback is the host... and randomaccess is 
the program...?

in addition, the entirety of this info - host thru isodate - becomes the 
$MSG.

Very odd.  How am i accomplishing this feat?


Nathan Campi wrote:

> Rob,
>
> This is covered in the faq - it's even called something like "using 
> stunnel, all hosts are logged as localhost". Use this:
>
>  options{ keep_hostname(yes); };
> -- 
> Nate Campi
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>


-- 
Rob Munsch
Solutions For Progress IT

More information about the syslog-ng mailing list