[syslog-ng] SYSLOGHOST is being replaced with IP

Fri Nov 29 13:24:27 UTC 2019

Hi,

I'm observing that syslog-ng is modifying the SYSLOGHOST in the incoming
log line and outputting an IP instead.
I would like to retain the incoming hostname in incoming syslog and forward
the same information.

Here is my incoming log line:
<13>Nov 29 04:07:40 BVRM-DC04
AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=7.2.8.91\tSource=Microsoft-Windows-Security-Auditing\tComputer=
BVRM-DC04.xxxxxxxx.com\tOriginatingComputer=172.26.1.60\tUser=\tDomain=\tEventID=4634\tEventIDCode=4634\tEventType=8\tEventCategory=12545\tRecordNumber=166757582\tTimeGenerated=1575029259\tTimeWritten=1575029259\tLevel=Log
Always\tKeywords=Audit
Success\tTask=SE_ADT_LOGON_LOGOFF\tOpcode=Info\tMessage=An account was
logged off.

Outgoing log line:
<13>Nov 29 04:07:40 172.22.2.55
AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=7.2.8.91\tSource=Microsoft-Windows-Security-Auditing\tComputer=
BVRM-DC04.xxxxxxxx.com\tOriginatingComputer=172.26.1.60\tUser=\tDomain=\tEventID=4634\tEventIDCode=4634\tEventType=8\tEventCategory=12545\tRecordNumber=166757582\tTimeGenerated=1575029259\tTimeWritten=1575029259\tLevel=Log
Always\tKeywords=Audit
Success\tTask=SE_ADT_LOGON_LOGOFF\tOpcode=Info\tMessage=An account was
logged off.

FYI, this is log from Windows, but same is happening for syslog from other
firewalls as well.

My syslog-ng.conf:

@version: 3.24
@include "scl.conf"
########################
# Sources
########################
source s_test_net { syslog(transport(udp) port(2514) ); };
########################
# Destinations
########################
destination d_test { file("/tmp/test.log"); };
########################
# Log paths
########################
log {
       source(s_test_net);
       destination(d_test);
};

Thanks
Raghu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20191129/66954cec/attachment.html>