[syslog-ng] SYSLOGHOST is being replaced with IP

Pal, Laszlo vlad at vlad.hu
Fri Nov 29 14:09:36 UTC 2019 

If 172.22.2.55 is your relay, use keep-hostname option

https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/keep-hostname


On Fri, Nov 29, 2019 at 2:24 PM Raghunath Adhyapak <funduraghu at gmail.com>
wrote:

> Hi,
>
> I'm observing that syslog-ng is modifying the SYSLOGHOST in the incoming
> log line and outputting an IP instead.
> I would like to retain the incoming hostname in incoming syslog and
> forward the same information.
>
> Here is my incoming log line:
> <13>Nov 29 04:07:40 BVRM-DC04
> AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=7.2.8.91\tSource=Microsoft-Windows-Security-Auditing\tComputer=
> BVRM-DC04.xxxxxxxx.com\tOriginatingComputer=172.26.1.60\tUser=\tDomain=\tEventID=4634\tEventIDCode=4634\tEventType=8\tEventCategory=12545\tRecordNumber=166757582\tTimeGenerated=1575029259\tTimeWritten=1575029259\tLevel=Log
> Always\tKeywords=Audit
> Success\tTask=SE_ADT_LOGON_LOGOFF\tOpcode=Info\tMessage=An account was
> logged off.
>
> Outgoing log line:
> <13>Nov 29 04:07:40 172.22.2.55
> AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=7.2.8.91\tSource=Microsoft-Windows-Security-Auditing\tComputer=
> BVRM-DC04.xxxxxxxx.com\tOriginatingComputer=172.26.1.60\tUser=\tDomain=\tEventID=4634\tEventIDCode=4634\tEventType=8\tEventCategory=12545\tRecordNumber=166757582\tTimeGenerated=1575029259\tTimeWritten=1575029259\tLevel=Log
> Always\tKeywords=Audit
> Success\tTask=SE_ADT_LOGON_LOGOFF\tOpcode=Info\tMessage=An account was
> logged off.
>
> FYI, this is log from Windows, but same is happening for syslog from other
> firewalls as well.
>
> My syslog-ng.conf:
>
> @version: 3.24
> @include "scl.conf"
> ########################
> # Sources
> ########################
> source s_test_net { syslog(transport(udp) port(2514) ); };
> ########################
> # Destinations
> ########################
> destination d_test { file("/tmp/test.log"); };
> ########################
> # Log paths
> ########################
> log {
>        source(s_test_net);
>        destination(d_test);
> };
>
> Thanks
> Raghu
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20191129/9497b6d9/attachment.html>

More information about the syslog-ng mailing list