[syslog-ng] Having hostname and sender's IP address in header

Matthew Hall mhall at mhcomputing.net
Tue Oct 26 05:39:35 CEST 2010 

On Monday, October 25, 2010 20:07:08 Worsham, Michael wrote:
> Almost. I am confused on the "set properties to preserve hostnames" and
> "set appropriate template" pieces. I am still rather new to this still.
> I am just happy I got TLS encryption working and integrated TLS with
> Syslog4j for Weblogic support.
> 
> So I guess back to the original question, is it not possible to pass over
> the hostname and IP address at the same time in the header?
> 
> -- M

Some of the items from your "options" clause are what you are using to get 
hostnames / IPs to appear or not appear in your log messages during your 
testing if I have understood properly. You will want to move them from being 
"global" where they affect to all logging, into the sources where they are 
needed, to prevent them from spilling over when you are looping the 
messages back through syslog-ng a second time.

options {
        chain_hostnames(no);
        time_reopen(10);
        time_reap(360);
        log_fifo_size(1000);
        group(adm);
        perm(0644);
        dir_perm(0755);
        use_dns(yes);
        use_fqdn(yes);
        create_dirs(yes);
        keep_hostname(yes);
        log_msg_size(32768);
        stats_freq(0);
        flush_lines(0);
};

The set appropriate template part means using the right template string to 
output the message in the correct format when forwarding it.

According to the administrator guide:

$ISODATE $HOST $MSGHDR$MSG\n

is the default template. It will probably work to reforward the messages 
back to syslog-ng just fine but could need some changes.

I don't think you can pass the host and IP at the same time because there is 
only one spot in the packet where the $HOST can be written. I think you will 
need to make two flows of log messages where one contains hosts and the 
other contains IPs.

I thought of another way to do it which could be worth trying. You could try 
using set(...) function of syslog-ng to create your own macros: $host_dns 
and $host_ip perhaps, where you have saved the values you want for each 
field. Then you could change your template of your destination to reference 
these macro values of your own instead of the $HOST. To figure this one out 
you will need to spend some time in the manual as it's not complete how to 
do it yet in my mind.

Regards,
Matthew Hall.

More information about the syslog-ng mailing list