We are forwarding some of Syslog messages using WinSyslog / MonitorWare Agent, but when the message shows up at the other location, it appears with the forwarding servers IP address instead of the originating devices IP address in the header. Is there a way to forward the messages with the original IP in the header instead?
What you experience is actually a shortcoming in the “Syslog Protocol” itself. The address is taken from the sender, so when a message is relayed, the sender’s address changes. However, there are a number of cures, each depending on your needs, configuration and eventually the edition to use.
- If your devices are RFC 3164 compliant (many are unfortunately not), you can take the hostname from the Syslog header. There is an option in MonitorWare Agent / WinSyslog “RFC 314 parsing” which you can enable to get hold of this.Please note that it is disabled by default because non-compliant devices can really create very strange values in the header fields.
- You can use Adiscon’s proprietary SETP protocol, which solves this issue (this may require an edition upgrade). Click here to know the difference between SETP and Syslog!
- You can forward the message in “XML Format”. That will make it look strange, but you will receive all information. If you do machine parsing, the strangeness may not be an issue (if you work around it in your parser).
- You can also enable the “Include Original Host” option in the Syslog forwarder, which will simply add a tag “FromHost: <ip>” at the beginning of the header.Please note that this in itself is not RFC 3164 compliant.