4.3.2. How relaying log messages works The syslog-ng Premium Edition 7 Administrator Guide
Depending on your exact needs about relaying log messages, there are many scenarios and syslog-ng PE options that influence how the log message will look like on the logserver. Some of the most common cases are summarized in the following example.
Consider the following example: client-host > syslog-ng-relay > syslog-ng-server, where the IP address of
client-host device sends a syslog message to
syslog-ng-relay. Depending on the settings of
syslog-ng-relay, the following can happen.
By default, the
keep-hostname()option is disabled, so
syslog-ng-relaywrites the IP address of the sender host (in this case,
192.168.1.2) to the HOST field of the syslog message, discarding any IP address or hostname that was originally in the message.
keep-hostname()option is enabled on
syslog-ng-relay, but name resolution is disabled (the
use-dns()option is set to
syslog-ng-relayuses the HOST field of the message as-is, which is probably
To resolve the
192.168.1.2IP address to a hostname on
syslog-ng-relayusing a DNS server, use the
use-dns(yes)options. If the DNS server is properly configured and reverse DNS lookup is available for the
192.168.1.2address, syslog-ng PE will rewrite the HOST field of the log message to
It is also possible to resolve IP addresses locally, without relying on the DNS server. For details on local name resolution, see Procedure 19.3.1, Resolving hostnames locally.
The above points apply to the syslog-ng PE server (
syslog-ng-server) as well, so if
syslog-ng-relayis configured properly, use the
syslog-ng-serverto retain the proper HOST field. Setting
syslog-ng-serverwould result in syslog-ng PE rewriting the HOST field to the address of the host that sent the message to
syslog-ng-server, which is
syslog-ng-relayin this case.
If you cannot or do not want to resolve the
192.168.1.2IP address on
syslog-ng-relay, but want to store your log messages on
syslog-ng-serverusing the IP address of the original host (that is,
client-host), you can enable the
spoof-source()works only under the following conditions: