[syslog-ng] Syslog relay tag
Evan Rempel
erempel at uvic.ca
Wed Sep 17 18:07:00 CEST 2008
You will need to enable the keep_hostname(yes) for BOTH the relay box and the syslog server.
An example line of
2008-09-17T00:00:00-07:00 swc4cled050.bb.uvic.ca/swc4cled050.bb.uvic.ca/paprika.ns.uvic.ca local7.warning swc4cled050:
*Sep 17 00:00:00.309: %DOT1X-4-INVALID_MSG_TYPE: authlib.c:86 Invalid message type 9 received from AAA
shows the originating machine is swc4cled050 and the relay machine is paprika
It may look a little odd that the swc4cled050 is there twice, but the explanation is;
The first occurance is the name the the originating host placed into the syslog message.
The second occurance is the relay box resolving the IP address of the sender.
The third hostname (paprika) is the final syslog server resolving the IP address of the relay box.
I hope this explains things.
Gault Stephane wrote:
> Thanks for the hostname thing, i tryied but it continue to send to the server :
>
> src_name at hotname_BOX2
>
> For the log of BOX1. Let's say hosname of BOX1 is BOX1 et BOX2 is BOX2 and the source name logged is SSH
>
> the Syslog server recieve thoses lines :
>
> Sept 17 - SSH at BOX2 - myipthere - etc ...
>
> I am connecting to BOX1 and generate logs on BOX1 that relay to BOX2 that relay to syslog server.
>
> any Clue ?> Date: Wed, 17 Sep 2008 06:56:16 -0700> From: infosec at gmail.com> To: syslog-ng at lists.balabit.hu> Subject: Re: [syslog-ng] Syslog relay tag> > Set keep_hostname(yes); on the syslog server.> > http://www.campin.net/syslog-ng/faq.html#hostname> > On Wed, Sep 17, 2008 at 6:22 AM, Gault Stephane <hqservers at hotmail.com> wrote:> > Hello there,> >> > I got a question about relaying logs from a box to a syslog server through a> > syslog box relay. My probleme is to get the log tagged with the ip of the> > first box, here the case :> >> >> > BOX 1 => BOX2 => Syslog server> >> > My goal is to relay BOX1 logs to BOX2 ( security probleme, to make BOX1 out> > of the syslog server zone) and BOX will relay the logs from BOX 1 and 2 to> > the syslog server.> >> > Have you any clue how can i get the IP (or hostname) of the BOX1 included in> > the logs or file ?> >> > When i do This the logs are ok, but they come with the IP of the BOX2 ( the> > logs of BOX1 ans BOX 2 got the same
source IP "BOX2" ).> >> > Thanks for your suggestions.> >> > S.Gault> >> > ________________________________> > Votre correspondant a choisi Hotmail et profite d'un stockage quasiment> > illimité. Créez un compte Hotmail gratuitement !> > ______________________________________________________________________________> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng> > Documentation:> > http://www.balabit.com/support/documentation/?product=syslog-ng> > FAQ: http://www.campin.net/syslog-ng/faq.html> >> >> >> ______________________________________________________________________________> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.campin.net/syslog-ng/faq.html>
> _________________________________________________________________
> Installez gratuitement les 20 émôticones Windows Live Messenger les plus fous ! Cliquez ici !
> http://www.emoticones-messenger.fr/
>
>
> ------------------------------------------------------------------------
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
--
Evan Rempel erempel at uvic.ca
Senior Programmer Analyst 250.721.7691
University Systems, University of Victoria
More information about the syslog-ng
mailing list