> Hi Rainer, > This pretty much matches with the image I have in mind. > Till there is no "original sender" in the syslog message > itself I guess that we will have to do with the "last sender".
I assume we are talking about a syslog relay chain BEFORE the realy that issues the trap here. Actually, in this case, it is the original sender, because a relay is not allowed to modify the message - so the hostname will always be that of the original sender. Of course, if a syslog message is transformed to some other transport and the retransformed (at some later stage) to a syslog message, the sender might have changed. However, this has more implications, eg message signatures would be broken. So any architecture converting syslog messages should try hard NOT to alter the message. But in the context of this discussion /transport mapping to snmp/ I think we can assume that it is the original sender. Rainer
