[syslog-ng] $HOST macro and relay host

[Balazs Scheidler]

On Fri, 2009-10-30 at 14:23 -0500, Jason Barrett wrote:
> Hi all,
> 
> I'm relaying log messages from one syslog-ng server to another.  At the 
> final stop, the only way I can get the $HOST macro to work is if I 
> enable dns resolution on server 1.  Is this by design?  Here are the 
> relevant configs:
> 
> ----------------------------------------------------------------------
> 
> syslog-ng server 1 (relays to server 2):
> chain_hostnames(yes);
> keep_hostname(yes);
> use_dns(no);
> 
> source s_udp { udp(port(514)); };
> destination df_udpback { udp("192.168.1.157" port(514)); };
> log { source(s_udp); destination(df_udpback); };
> 
> ----------------------------------------------------------------------
> 
> syslog-ng server 2:
> chain_hostnames(yes);
> keep_hostname(yes);
> use_dns(yes);
> 
> source s_udp { udp(port(514)); };
> destination df_udp { file("/var/log/ics/$HOST/$YEAR/$MONTH/$DAY"); };
> log { source(s_udp); destination(df_udp); };
> 
> ----------------------------------------------------------------------
> 
> Sample log message on server 2:
> Oct 30 09:35:03 10.12.24.46/10.12.24.46 %ASA-5-111005: 10.28.22.55 end 
> configuration: OK
> 
> 10.12.24.46 is the correct IP address of the originating host, and $HOST 
> resolves to this IP address.  I would prefer $HOST to resolve to the 
> hostname as it exists in the /etc/hosts file.

$HOST always resolves to the "HOST" portion of the syslog message.

syslog-ng can resolve only from /etc/hosts if you use these global
options:

options { use-dns(persist-only) dns-cache-hosts('/etc/hosts'); };

-- 
Bazsi