[rsyslog-notify] Forum Thread: Re: How to display ip-address of relaying host - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Thu Nov 12 17:49:23 CET 2015
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26136#p26136
Message:
----------
fromhost-ip is created locally inside rsyslog by looking at the packet
headers to see where the network packets came from.
if you send logs from system1 to a relay on system2 that then sends to
system3, at system3, hostname will be what system1 puts in the message,
fromhost-ip will be system2's IP address
this is because, per RFC, when relaying a message, you do not change the
hostname in the message, so system3 will still see the hostname
but the packets arriving at system3 are from the IP address of system2, so
fromhost-ip will show you system2's IP address.
by default, fromhost-ip is not recorded anywhere, it's an internal variable
that can be used in custom templates, so if you don't have control over
system3 you aren't going to be able to do much, the data is there but you
won't be able to record it.
does this help?
More information about the rsyslog-notify
mailing list