[syslog-ng] SYSLOGHOST is being replaced with IP

Raghunath Adhyapak funduraghu at gmail.com
Fri Nov 29 15:00:05 UTC 2019


Thanks Laszlo, I will try that and get back.

Raghu

On Fri, Nov 29, 2019, 19:40 Pal, Laszlo <vlad at vlad.hu> wrote:

> If 172.22.2.55 is your relay, use keep-hostname option
>
>
> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/keep-hostname
>
>
> On Fri, Nov 29, 2019 at 2:24 PM Raghunath Adhyapak <funduraghu at gmail.com>
> wrote:
>
>> Hi,
>>
>> I'm observing that syslog-ng is modifying the SYSLOGHOST in the incoming
>> log line and outputting an IP instead.
>> I would like to retain the incoming hostname in incoming syslog and
>> forward the same information.
>>
>> Here is my incoming log line:
>> <13>Nov 29 04:07:40 BVRM-DC04
>> AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=7.2.8.91\tSource=Microsoft-Windows-Security-Auditing\tComputer=
>> BVRM-DC04.xxxxxxxx.com\tOriginatingComputer=172.26.1.60\tUser=\tDomain=\tEventID=4634\tEventIDCode=4634\tEventType=8\tEventCategory=12545\tRecordNumber=166757582\tTimeGenerated=1575029259\tTimeWritten=1575029259\tLevel=Log
>> Always\tKeywords=Audit
>> Success\tTask=SE_ADT_LOGON_LOGOFF\tOpcode=Info\tMessage=An account was
>> logged off.
>>
>> Outgoing log line:
>> <13>Nov 29 04:07:40 172.22.2.55
>> AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=7.2.8.91\tSource=Microsoft-Windows-Security-Auditing\tComputer=
>> BVRM-DC04.xxxxxxxx.com\tOriginatingComputer=172.26.1.60\tUser=\tDomain=\tEventID=4634\tEventIDCode=4634\tEventType=8\tEventCategory=12545\tRecordNumber=166757582\tTimeGenerated=1575029259\tTimeWritten=1575029259\tLevel=Log
>> Always\tKeywords=Audit
>> Success\tTask=SE_ADT_LOGON_LOGOFF\tOpcode=Info\tMessage=An account was
>> logged off.
>>
>> FYI, this is log from Windows, but same is happening for syslog from
>> other firewalls as well.
>>
>> My syslog-ng.conf:
>>
>> @version: 3.24
>> @include "scl.conf"
>> ########################
>> # Sources
>> ########################
>> source s_test_net { syslog(transport(udp) port(2514) ); };
>> ########################
>> # Destinations
>> ########################
>> destination d_test { file("/tmp/test.log"); };
>> ########################
>> # Log paths
>> ########################
>> log {
>>        source(s_test_net);
>>        destination(d_test);
>> };
>>
>> Thanks
>> Raghu
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20191129/8b8d1e49/attachment.html>


More information about the syslog-ng mailing list