[syslog-ng] Chained changing IP addresses to FQDN

Sun Dec 27 06:21:49 CET 2009

On Tue, 2009-12-22 at 15:28 -0500, Jason Carr wrote:
> Hello,
> 
> I have a syslog infrastructure using syslog-ng comprising of three tiers: probes that accept messages and forwards them to the broker, a broker that routes and/or duplicates messages to the appropriate storage devices, and storage devices.  All forward using the tcp("hostname"); as a destination.
> 
> Basically it looks like this:
> 
> machine1 ==udp==> +-------+          +--------+          +-----------+
> machine2 ==udp==> | probe | ==tcp==> | broker | ==tcp==> | storage 1 |
> machine3 ==udp==> +-------+          +--------+          +-----------+ 
>                                          ||              +-----------+
>                                          ++=======tcp==> | storage 2 |
>                                                          +-----------+
> 
> 
> The probes rewrite the hostname to the IP address that the packet came from using the chain_hostnames(no) and keep_hostname(no) options.  One of the requirements of one specific storage device is to change the IP addresses into hostnames.  I'm having difficulty on the storage device switching the IP address in the log message to the FQDN.  I have tried all combinations I can think of of chain_hostnames and keep_hostname and cannot seem to get the IP address replaced with the FQDN.
> 
> Is there a way to replace the IP address with the FQDN while receiving the messages from an intermediary?
> 
> Thank you,
> 
> Jason

uhm, don't re-write it to ip addresses in the first place? Seems
logical, but I may not fully understand your implementation.

-C