I’ve finally modified rsyslog so that it can run in multiple instances. With that, I could now set up the syslog demo machine so that it runs two instances of rsyslogd. One instance is the “real” rsyslogd, which listens locally. The other instance is the demo rsyslogd, which reads data from the network and shuffles it to the database. As the database was very silent, I were now able to add some rules to forward some events from the real rsyslogd to the demo one. I do this mostly with postfix messages. For demo purposes, I’ve set up a fake postfix. Whoever sends mail to it, gets a bounce back. But the good thing is that postfix has something to do and as such messages will be added to the (demo) system log. I am sure spammers will pick up the mail address from web pages like this one, so I will have a healthy flow of log messages shortly ;)