For what it's worth (http://tools.ietf.org/html/rfc5424):
6.2.4. HOSTNAME The HOSTNAME field identifies the machine that originally sent the syslog message. The HOSTNAME field SHOULD contain the hostname and the domain name of the originator in the format specified in STD 13 [RFC1034]. This format is called a Fully Qualified Domain Name (FQDN) in this document. In practice, not all syslog applications are able to provide an FQDN. As such, other values MAY also be present in HOSTNAME. This document makes provisions for using other values in such situations. A syslog application SHOULD provide the most specific available value first. The order of preference for the contents of the HOSTNAME field is as follows: 1. FQDN 2. Static IP address 3. hostname 4. Dynamic IP address 5. the NILVALUE If an IPv4 address is used, it MUST be in the format of the dotted decimal notation as used in STD 13 [RFC1035]. If an IPv6 address is used, a valid textual representation as described in [RFC4291], Section 2.2, MUST be used. Syslog applications SHOULD consistently use the same value in the HOSTNAME field for as long as possible. The NILVALUE SHOULD only be used when the syslog application has no way to obtain its real hostname. This situation is considered highly unlikely. ----- Original Message ----- From: "Stuart Henderson" <s...@spacehopper.org> To: tech@openbsd.org Sent: Friday, February 1, 2013 5:57:35 AM Subject: Re: Send hostname to remote host with syslogd > From: "Gabriel Linder" <lin...@jeuxvideo.com> > To: tech@openbsd.org > Sent: Wednesday, December 26, 2012 9:40:40 AM > Subject: Send hostname to remote host with syslogd > > While playing with base syslogd and syslog-ng to have a unique loghost > on my network, I noticed that OpenBSD syslogd does not send the hostname > (while other daemons like rsyslog send it), so my loghost log the IP > instead of the hostname. Is there a reason for this behaviour ? Does your loghost really log the provided hostname _instead of_ the IP address? That seems like bad information loss, especially as the hostname here does not include the domain name. I'm a bit undecided as to whether this is really useful (I suppose having it _in addition_ to the IP address might be useful where there's a NAT between log source and destination) but in any event if it's done, I think it should be optional and off by default; it changes the established format and eats into a limited 1K max line length. > The diff below fix this, works for me. Diff is also available at > http://dargor.servebeer.com/~dargor/openbsd/syslogd.diff (thunderbird > likes to mess with my tabs...) see git-format-patch(1) for information about how to correct your Thunderbird settings.