How relaying log messages works
Depending on your exact needs about relaying log messages, there are many scenarios and AxoSyslog options that influence how the log message will look like on the logserver. Some of the most common cases are summarized in the following example:
Consider the following example: client-host > relay > server, where the IP address of client-host
is 192.168.1.2
. The client-host
device sends a syslog message to relay
. Depending on the settings of relay
, the following can happen.
-
By default, the
keep-hostname()
option is disabled, sorelay
writes the IP address of the sender host (in this case,192.168.1.2
) to the HOST field of the syslog message, discarding any IP address or hostname that was originally in the message. -
If the
keep-hostname()
option is enabled onrelay
, but name resolution is disabled (theuse-dns()
option is set tono
),relay
uses the HOST field of the message as-is, which is probably192.168.1.2
. -
To resolve the
192.168.1.2
IP address to a hostname onrelay
using a DNS server, use thekeep-hostname(no)
anduse-dns(yes)
options. If the DNS server is properly configured and reverse DNS lookup is available for the192.168.1.2
address, AxoSyslog will rewrite the HOST field of the log message toclient-host
.Note It is also possible to resolve IP addresses locally, without relying on the DNS server. For details on local name resolution, see Resolving hostnames locally. -
The above points apply to the AxoSyslog server (
server
) as well, so ifrelay
is configured properly, use thekeep-hostname(yes)
option onserver
to retain the proper HOST field. Settingkeep-hostname(no)
onserver
would result in AxoSyslog rewriting the HOST field to the address of the host that sent the message toserver
, which isrelay
in this case. -
If you cannot or do not want to resolve the
192.168.1.2
IP address onrelay
, but want to store your log messages onserver
using the IP address of the original host (that is,client-host
), you can enable thespoof-source()
option onrelay
. However,spoof-source()
works only under the following conditions:- The
syslog-ng
binary has been compiled with the--enable-spoof-source
option. - The log messages are sent using the highly unreliable UDP transport protocol. (Extremely unrecommended.)
- The