Syslog forwarding loses original hostname

rsyslogsyslog

I have DMZ hosts forwarding to a DMZ syslog which in turn forwards all the syslog messages to an internal syslog server. It's working fine for the most part but the internal syslog host messages appear to all be coming from the DMZ syslog ie it loses the original hostnames.

{Hosts} -> {DMZ syslog: openbsd: syslog v 1.17} -> {Internal Syslog: rsyslog v3}

How can I preserve the hostnames?

Thanks!

Best Answer

Personally I would recommend using syslog-ng for your internal server - it provides a whole lot more than rsyslog. Of specific interest in your case it provides some much better handling for managing / rewriting / etc for the hostnames.

If you decide to stick with rsyslog this configuration does preserve both the remote and local hostnames - it is what I used before switching to syslog-ng.

$ModLoad imuxsock.so
$ModLoad imklog.so      
$ModLoad imudp.so
$UDPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

I also was using the "-c 4" options in my init script, if it matters.

Best Answer

Related Solutions

Ubuntu – How to get rsyslogd to log a server’s FQDN instead of it’s short hostname

Linux – rsyslog does not write remote messsages to log file from specific host

Related Topic