LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   forwarding syslog messages overwrites original hostname (https://www.linuxquestions.org/questions/linux-software-2/forwarding-syslog-messages-overwrites-original-hostname-48597/)

gfizzy 03-06-2003 03:10 PM
forwarding syslog messages overwrites original hostname
 
Hopefully some of you gurus out there can help me. I've been banging my head against the wall on this problem and can't seem to find any answers.

I am a network admin and have 1000s of network devices syslogging to a few *nix servers in North America. I recently started playing around with some message correlation tools. Instread of re-configuring all of my devices to syslog to a new server, I decided to have my syslog servers forward their messages to one central server.

This works -- sort of. I've got a NetBSD box that is forwarding syslog messages OK. On my solaris central logging host, it displays the syslog messages in this format: <timestamp> <NetBSDLogServer> <Original Device> <Message>, where <Original Device> is the ip or hostname of the device that originated the message. I do not know what version of syslogd is running on the NetBSD Box.

On a redhat box that handles syslog for Europe, I seem to be forwarding a different format. Again, on my Solaris central logging host, the syslog receives messages from the redhat server in the format <timestamp> <redhat Server> <message>. In effect, it does not include the hostname of the original device that sent the syslog in the first place. I am running syslogd 1.4.1 on the redhat box.


Does anyone know how to force the two syslogd apps to send in the same format? If not, is there a way I can force the redhat box syslogd to send the Original device hostname?

Thanks-

Greg

pallocca 09-30-2003 06:45 PM
looks like we are in the same boat. I posted a simalar thread today and have not heard back from anyone. Did you ever figure out how to maintain the original hostname in the syslog message? Any help would be great!

pthmpson 10-30-2009 09:24 AM
I know this thread has been idle for years but I'm having the same problem. Has anybody figured out how to resolve this yet?

I have set up several servers in a secure DMZ to syslog both locally and to a DMZ loghost. Logging works perfectly. On the DMZ loghost I can see the source IP address of the server that generated any given event.

I have configured this DMZ loghost to forward all messages on to central loghost that collects logs for the entire network. The other servers in the DMZ are unable to connect to this central loghost. Unfortunately this forwarding of logs is not working the way I want.

The central log host is receiving log entries from all of the servers in the DMZ but they are all listed as coming from the IP of the DMZ loghost. Therefore I can't tell which server has generated a particular event.

Is there any way I can configure the DMZ loghost to retain the originating IP address when it forwards on messages? All servers are running RHEL5.

Phil


All times are GMT -5. The time now is 10:05 PM.