I have DMZ hosts forwarding to a DMZ syslog which in turn forwards all the syslog messages to an internal syslog server. It's working fine for the most part but the internal syslog host messages appear to all be coming from the DMZ syslog ie it loses the original hostnames.
{Hosts} -> {DMZ syslog: openbsd: syslog v 1.17} -> {Internal Syslog: rsyslog v3}
How can I preserve the hostnames?
Thanks!
Configure /etc/rsyslog.conf to preserve the FQDN: $PreserveFQDN on
Personally I would recommend using syslog-ng for your internal server - it provides a whole lot more than rsyslog. Of specific interest in your case it provides some much better handling for managing / rewriting / etc for the hostnames.
If you decide to stick with rsyslog this configuration does preserve both the remote and local hostnames - it is what I used before switching to syslog-ng.
$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad imudp.so
$UDPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
I also was using the "-c 4" options in my init script, if it matters.
Piping the syslog message to netcat will add the hostname.
A simple way is to pipe messages using netcat (nc) in the syslog.conf file as follow:
. "TAB" | nc RemoteLogServer -u 514 -w 1"
A TAB character must be inserted before the pipe symbol.
