Thanks Peter, I know the chain_hostnames parameter in syslog-ng, but never thought to simulate that behavior on rsyslog Nice trick!
Regards! /Wu At 2018-10-19 19:52:49, "Peter Viskup via rsyslog" <rsyslog@lists.adiscon.com> wrote: >syslog-ng has special chain-hostname option for that. > >You can simulate it with exec_template with use of standard syslog format: >http://rsyslog-users.1305293.n2.nabble.com/template/NamlServlet.jtp?macro=print_post&node=7594015 > >HTH >-- >Peter >On Wed, Oct 17, 2018 at 1:38 AM wuhe <bear_2...@163.com> wrote: >> >> >> >> Thanks David for your reply, >> Actually i do the similar thing , i store the msg to "Relay Server" and use >> template to append the "fromhost-ip" , then use "imfile " to resend the msg >> with fromhost-ip to "log server" >> but this cause disk IO on relay server which worried about the disk >> performance when client are huge >> i never use JSON in rsyslog before, i will try you method later >> Another thing want to conform is this solution involve disk IO on "relay >> server" ? >> Thanks! >> >> >> Regards! >> /Wu >> At 2018-10-17 06:28:19, "David Lang" <da...@lang.hm> wrote: >> >On Wed, 17 Oct 2018, wuhe wrote: >> > >> >> Hi : >> >> want to check how to get the original IP address after forward twice >> >> in a relay chain? >> >> like in this chain, how can the "Log Server" get the IP address (not >> >> hostname ) of "Client A/B/C" >> >> {Client A, Client B, Client C} ----> {Relay Server} ----> {Log >> >> Server} (udp is used for forward) >> > >> >using the standard syslog format you cannot do so because the relays do no >> >pass >> >that information on. >> > >> >What I do is I repackage the message as JSON so that I can add additional >> >metadata >> > >> >on the relay: >> > >> >set $!msg=$msg; >> >set $!trusted!orig!ip = $fromhost-ip; >> > >> >etc (I also have the relays store the timestamp of when they processed the >> >log, >> >which relay processed it, parse the message, and do other cleanups) >> > >> >then define a forwarding format that has %$!% instead of $msg in it. >> > >> >then on the log server, you can extract the metadata or the original message >> > >> >David Lang >> >_______________________________________________ >> >rsyslog mailing list >> >http://lists.adiscon.net/mailman/listinfo/rsyslog >> >http://www.rsyslog.com/professional-services/ >> >What's up with rsyslog? Follow https://twitter.com/rgerhards >> >NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> >sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> >LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >_______________________________________________ >rsyslog mailing list >http://lists.adiscon.net/mailman/listinfo/rsyslog >http://www.rsyslog.com/professional-services/ >What's up with rsyslog? Follow https://twitter.com/rgerhards >NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE >THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.