[syslog-ng] hostname issue with aggregation from aggregator of end-system

Ian Veach zfpublic08 at gmail.com
Mon Feb 27 23:25:58 CET 2012 

We're currently running loghosts/aggregators for each data center and two
OS types.  This works fine.  We are now trying to forward all syslogs from
our aggregators to another single aggregator (a security loghost,
sec-loghost, which is proprietary).  We are having a problem retaining
hostname when forwarding from a loghost aggregator to ANOTHER loghost - but
only from one OS type / syslog-ng install.

We've been running syslog-ng for some time on RHEL (and previously SLES)
and AIX, in a loghost configuration, with no issues.  Our current
architecture (example):

data center 1:

rhelhostX -> rhel-loghost1
aixhostX -> aix-loghost1

data center 2:

rhelhostX -> rhel-loghost2
aixhostX -> aix-loghost2


aix-loghost's are running syslog-ng 3.0.5, RHEL loghost's are running
syslog-ng 3.1.4.  Both are similarly configured (see below), and are
working fine as advertised by themselves - e.g. each loghost gets
$HOST_FROM and properly stores the logs for that host in our architecture
(/logs/$YEAR/$MONTH/$DAY/$HOST_FROM/).

However, given data center 1, if syslogs follow this path:

aixhostX -> aix-loghost1 -> sec-loghost

rhelhostX -> rhel-loghost1 -> sec-loghost
rhelhostX -> rhel-loghost1 -> rhel-loghost2

sec-loghost sees syslogs from all aixhostXs (even though they passed
through aix-loghost1) correctly.  However, sec-loghost (and we also tested
going to rhel-loghost2) sees ALL syslog entries as coming from
rhel-loghost, even though it's simply aggregating from rhelhostX's.
loghost1's all correctly get $HOST_FROM and see syslog record hosts
correctly.  This issue only occurs when forwarding again to another loghost.

Our nutshell configuration on BOTH loghosts (related to this) is:

options {
        chain_hostnames(no);
        keep_hostname(yes);
        use_fqdn(no);
        use_dns(yes);
};
Any ideas on how to fix this?  The only hint I've gotten is from our
networks group, who uses kiwi syslog and had to make sure a checkbox for
RFC 3164 headers compliance was turned on.  I don't see an equivalent of
that not already set with the above config.

Thanks,
Ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120227/9636e7cf/attachment.htm

More information about the syslog-ng mailing list