Remote syslog passing client hostname not just IP address?

[paragon1970]

Hello folks,

I wonder whether you can help me.

I am receiving the following message on the log server partially as intended but require that it includes the hostname of the client. It does include the IP address 10.x.x.130 but this needs to be resolved to the actual client hostname.

Oct 10 13:52:43 10.x.x.130/10.x.x.130 sshd[32538]: error: PAM: authentication error for root from hostname123.intranet.foo.com

Furthermore going forward I have been told that the client syslog messages will eventually pass through an F5 load balancer on their way to remote syslog server so am concerned that the IP address above will also become that of the F5 load balancer, not sure if this will occur or not but mention it in-case its of relevance.

So in a nutshell I need to find a method so that the client injects its hostname into the remote syslog message. Any ideas? Is there a directive to syslogd.conf or elsewhere?

Any help would be very much appreciated!

Thank you.

 

[ShelLuser]

What syslog version are you using? Perhaps an even better question: Which FreeBSD version do you use?

The reason I ask is because /usr/sbin/syslogd does this by default. It even has a commandline option (-n) to stop it from using DNS queries to resolve the hostnames.

So my guess is that this IP address sits in a private network range and thus your (sys)log server doesn't know nor cannot find the associated name (unless you use a private DNS server of course, but considering your question I somewhat doubt that).

My suggestion would be to utilize /etc/hosts on the "syslog host". Simply add the IP address and the name. After that the log server should be able to resolve the IP address to a name. That is; if my assumption is right that syslogd also honours nsswitch.conf.