3

How can syslog-ng be configured to send both the hostname and the IP address. Currently, logs are sent with the IP address of the device/machine, but we want to add the hostname so I could keep my ip management database up to date with the correct hostname (no, I don't use DHCP :))

Ed Gl
  • 143
  • 1
  • 1
  • 4

2 Answers2

3

If you are sending from one syslog-ng server to another, just add the keep_hostname(yes) option.

If you are sending from syslog-ng to some other syslog daemon, you need to compile from source and use the enable source spoof option.

If you just want names instead of IPs, then try use_dns(yes).

Here's a short video on configuring syslog-ng.

Ladadadada
  • 26,337
  • 7
  • 59
  • 90
Clayton Dukes
  • 444
  • 2
  • 9
  • 1
    Note that `use_dns(yes)` requires reverse DNS lookups from the central syslog-ng server on the source server's IP address to work. – Ladadadada May 11 '12 at 05:19
  • 1
    To add to what Ladadadadada (or something, heh) said, if you have `use_dns` and no dns available, it will use your `/etc/hosts` first - assuming you have `files, dns` set in your `nsswitch.conf`. – Clayton Dukes May 11 '12 at 13:46
  • options 1 and 2 is the way to go... thanks! – Ed Gl May 12 '12 at 13:48
  • I need to know where put keep_hostname – deFreitas May 28 '18 at 00:57
  • ok here an example `/etc/syslog-ng/syslog-ng.conf` `options {keep_hostname(yes);}; source...` it is really hard to find out when you are a newbie – deFreitas May 28 '18 at 01:02
0

I like using the following due to the amount of hosts we maintain. 

rewrite r_host { set("syslogclient.domain.com", value("HOST")); };
log { source(s_src); destination(d_mysyslog); rewrite(r_host); };
destination d_mysyslog { tcp("syslog.domain.com" port(1514) tls(ca_dir("/etc/syslog-ng/cert.d"))); };

And these settings on the syslog-ng server:

long_hostnames(on); use_dns(no); use_fqdn(no);

This rewrites the hostname vs having to maintain any hosts lists on the syslog server. And presents this on the syslog-ng server:

Sep 27 13:20:01 syslogclient.domain.com/10.72.13.130 CRON[11729]: pam_unix(cron:session): session closed for user root
draper7
  • 111
  • 1
  • That's not a good thing to do if you ever start using a more advanced tool like LogZilla. Instead, put that ip in a metatag with the message, like host_ip="10.72.13.130" $MSG – Clayton Dukes Jun 06 '18 at 02:01