[syslog-ng] Syslog IP information is incorrect
Nate Campi
nate at campin.net
Thu Sep 28 19:16:05 CEST 2006
On Thu, Sep 28, 2006 at 01:05:39PM -0400, Tom Valdes wrote:
> I have some machines behind a firewall VLAN of 10.0.240.0 sending logs to a
> Linux Syslog server on the 10.0.230.0 network.
> The 2 machines are 10.0.240.71 and 10.0.240.72 and the Syslog server is
> 10.0.230.222.
> They are Windows and I am using the Eventlog to Syslog utility from Purdue
> University (
> https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys) to
> convert the Windows event logs to Syslog.
>
> Syslog is getting the information, however, any information from the 2
> machines are coming in as 10.0.230.1.
> -------
> Sep 28 11:37:54 10.0.230.1 Service Control ....... <---- This machine is
> actually 10.0.240.71
> -------
> Is there a way to get Syslog to read the correct IP information? or does
> Syslog simply not pass correct host information through a router?
This evtsys might leave out the hostname information, like Linux
sysklogd or Solaris syslogd. This behavior is documented here:
http://www.campin.net/syslog-ng/syslog.html
If evtsys is in fact sending the hostname, use
options { keep_hostname(yes); };
...as described for a similar problem here where the source IP for the
UDP/TCP packets are different from the original syslog client source:
http://www.campin.net/syslog-ng/faq.html#stunnel
--
Nate
"We are discreet sheep; we wait to see how the drove is going, and then
go with the drove." - Samuel Clemens
More information about the syslog-ng
mailing list