[syslog-ng] Having hostname and sender's IP address in header

Matthew Hall mhall at mhcomputing.net
Tue Oct 26 01:48:27 CEST 2010


On Mon, Oct 25, 2010 at 07:31:00PM -0400, Worsham, Michael wrote:
> How do I satisfy each requirement:

> 1) Allow the incoming data stream to be saved in a format based on the 
> incoming sender's hostname for the directory structure (ex: 
> "/var/log/syslog/general/$HOST/$FULLHOST-$MONTH.$DAY.$YEAR.log")?

> 2) Allow the IP address of the sender to be seen in the actual data 
> file once saved to the DCS server (ex: "Oct 25 18:51:12 10.153.13.70 
> <syslog.err>...")?

> 3) Is there an option to have the incoming sender's data saved with 
> both the hostname and IP address in the same header format (ex: "Oct 
> 25 18:51:12 CH33Test-WebCO 10.153.13.70 <syslog.err>...")?

I think your best bet would be something like setting it up to receive 
the messages on the port the servers are logging onto using a log source 
which has flags(final).

Then you will send the messages back to yourself. Using TCP, UDP, UNIX, 
or pipe would work for this part.

To do this you will configure a destination, which is used to relay the 
messages as they come in from the servers, and a source which is used to 
allow syslog-ng another chance to process the messages.

1) one socket which is set with flags to use DNS for local storage

2) one socket which is set with flags to use IPs for Tripwire

That way you could apply different properties to each socket.

You will probably need to experiment with the template used for relaying 
the messages from yourself to yourself to be sure nothing weird gets 
added when they are reforwarded back to you. For this part, using a UDP 
127.0.0.1 socket might be helpful at first because you can spy on the 
traffic using wireshark / tshark / tcpdump along with "udp port XXXX" 
filter to be sure everything looks like it should.

> -- Michael

HTH,
Matthew Hall.


More information about the syslog-ng mailing list