How to forward the messages with the original IP in the header instead of sender's IP address?
Created 2004-06-14 by Tamsila-Q-Siddique
We are forwarding some of Syslog messages using
WinSyslog / MonitorWare Agent,
but when the message shows up at the other location, it appears with the
forwarding servers IP address instead of the originating devices IP address in
the header. Is there a way to forward the messages with the original IP in the
What you experience is actually a shortcoming in the
"Syslog Protocol" itself. The address is taken from the sender, so when a
message is relayed, the sender's address changes. However, there are a number of
cures, each depending on your needs, configuration and eventually the edition to
If your devices are RFC 3164 compliant (many are
unfortunately not), you can take the hostname from the Syslog header. There is an option in MonitorWare Agent /
WinSyslog "RFC 314 parsing" which you can enable to get hold of this.
Please note that it is
disabled by default because non-compliant devices can really create very strange values in the header
You can use Adiscon's proprietary SETP protocol, which solves
this issue (this may require an edition upgrade). Click
here to know the difference between SETP and Syslog!
You can forward the message in "XML Format". That will
make it look strange, but you will receive all information. If you do machine
parsing, the strangeness may not be an issue (if you work around it in your
You can also enable the "Include Original Host" option in the Syslog forwarder, which
will simply add a tag "FromHost: <ip>" at the beginning of the header.
Please note that this in itself is not RFC 3164 compliant.
Click on MonitorWare Agent and WinSyslog to see different editions of