> Router sends syslog to server1, server1 sees the message, > logs it locally and forwards it to server2. That's all well and good. > > However, the log entry on server1 says that it's from > 'router' - what I want to see; the log entry on server2 says > that it's from 'server1' - not what I want to see. Stock syslog uses UDP as its transport protocol, and only retains source and destination hostnames/IP addresses based on its UDP headers. If you want to retain the (quite valuable) information about the original source, not the last source, the easiest thing to do is run syslog-ng with the chain hostname variable set to yes. I'm sure there are equiv features in other syslog replacements, but syslog-ng is what I'm familiar with. http://www.balabit.com/products/syslog_ng/ cheers - tbird -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.4 - Release Date: 1/25/2005 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Sat Jan 29 2005 - 10:54:42 PST