[syslog-ng] trouble with chain_hostnames

Matt Van Mater matt.vanmater at gmail.com
Wed Jan 4 23:32:24 CET 2012 

Hi all,

Many thanks to the developers, I've been a user for many years and have run
into a deployment that I can't quite get working the way I want to.

Please correct me if I am wrong, but the chain_hostnames global option is
intended to append the current syslog-ng hostname to every message
processed, no matter how many hosts a message chains through?

My messages are being relayed through these hosts:
1) webserver: Ubuntu LTS 10.4.3, syslog-ng 2.0.9 (from standard apt-get
sources)
2) proxy: OpenBSD 5.0, syslog-ng 3.1.4 (from prebuilt packages)
3) logserver: Ubuntu LTS 10.4.3, syslog-ng 2.0.9 (from standard apt-get
sources)

The traffic flows through them this way:
webserver --> proxy (tcp 514) --> proxy (tcp 1514) --> ssh tunnel -->
logserver (tcp 514)

I have chain_hostnames(yes) in the options global variable section all
three syslog-ng.conf files, and messages relay through all hosts properly
EXCEPT that the proxy server does not seem to append its hostname or IP
address to the syslog message when forwarding it on to the logserver.  I
have experimented with keep_hostnames as both yes and no on all hosts and
have not seen what i am expecting... (example: timestamp
s_all at webserver_ip/proxy_ip/logserver_ip
actual_log_message)

An example of what i see today is this:
On webserver # echo "webserver sending message to localhost tcp 514" | nc
localhsot 514
On loghost# tail -n1 /var/log/messages
Jan  4 17:22:16 webserver/webserver/loghost_ip webserver sending message to
localhost tcp 514

Note the fact that the message gets transported through all 3 hosts but the
proxy hostname isn't being inserted into the chain.

So my questions are:
1) Is chain_hostnames supposed to append the hostname to the message, no
matter how many hosts a message is relayed through?
1a) Suggestion: can you update the FAQ here:
http://www.campin.net/syslog-ng/faq.html#hostname to include an example of
a log message relayed through multiple hosts and the expected behavior
2) Is there a known bug in syslog-ng v3.1.4 and / or OpenBSD's example
syslog-ng.conf file that is the cause of hostname chaining not working?
2a) Suggestion: can you publish the syslog-ng changelogs in a single file
appending changes, or a searchable database?  As far as I can tell, I
currently have to download the changelog for each individual syslog-ng
version released in order to search and see if an issue was released and
that is a huge PITA.

Thanks!
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120104/06a5fda3/attachment.htm

More information about the syslog-ng mailing list