RE: [logs] SYSLOG "forwarding"

From: Tina Bird (
Date: Sat Jan 29 2005 - 10:52:39 PST

> Router sends syslog to server1, server1 sees the message, 
> logs it locally and forwards it to server2.  That's all well and good.
> However, the log entry on server1 says that it's from 
> 'router' - what I want to see; the log entry on server2 says 
> that it's from 'server1' - not what I want to see.

Stock syslog uses UDP as its transport protocol, and only retains source and
destination hostnames/IP addresses based on its UDP headers.  If you want to
retain the (quite valuable) information about the original source, not the
last source, the easiest thing to do is run syslog-ng with the chain
hostname variable set to yes.  I'm sure there are equiv features in other
syslog replacements, but syslog-ng is what I'm familiar with.

cheers - tbird

No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.7.4 - Release Date: 1/25/2005

LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Sat Jan 29 2005 - 10:54:42 PST