Forwarding Syslog Across Networks Without Losing Your Source IP
Forwarding syslog events between networks sounds straightforward. It is not. Between NAT boundaries, relay servers, message parsers, and hostname rewrites, the original source of an event can dissolve into the infrastructure before it ever reaches disk. This guide is a ground-up walkthrough of what it actually takes to get events from a device on one network reliably written to disk on another — with the correct source identity intact. The scenario here is real: a router sitting on a private network sends syslog to a relay server. That relay forwards everything to a central aggregator that writes logs to disk organized by source host. The problem — and it is a surprisingly deep one — is that by the time events land on disk, the host field reads as the relay server’s IP, not the original device. Fixing this requires understanding how syslog-ng handles host identity at every stage of the pipeline. ...