Hi,

I'm running rsyslog in a container. Basically just an ubuntu image with rsyslogd installed and a template configuration like this:

$template FILENAME,"/var/log/%fromhost-ip%/%hostname%/syslog.log"

Exposed ports in Dockerfile: EXPOSE 514/tcp 514/udp

Now this works in general just fine, but I discovered some strange behavior regarding the source IP of the syslog packets: Sometimes the messages for remote systems end up in [remote-host-ip]/[container-hostname]/syslog.log, then after some time, they end up in [docker0-bridges-ip]/[container-hostname]/syslog.log. This seems to flip around from now and then.

As far as I understand, the expected behavior is:

• If you connect to a exposed port from localhost, inside the container the source IP is the IP of the docker0 bridge
• If you connect to a exposed port from a remote system, the source IP is the IP of the remote system

But it seems somehow those packets get routed via the docker0 IP and sometimes not. This makes not only running a syslog server hard but also debugging request logs in general.