Doing a reverse lookup I get the entire fqdn....which has always been the case for any reverse lookup.
For rsyslog that hasn't been the case. When I finally put rsyslog into production the host names would come up with generic names. NOT the fqdn which I was fine with that. Some more information to help shed light on this.... On May 30th I updated from Updated rsyslog-7.2.6-3.el6.x86_64 TO 7.2.7-1.el6.x86_64 via yum update Today I updated from Updated rsyslog-7.2.7-1.el6.x86_64 TO 7.4.1-1.el6.x86_64 via yum update So up until today the way that rsyslog was handling the host names would be like this. If my fqdn was server1.test.domain.lan then it would put it in a folder labeled server1 As of the change it goes to a folder with the full fqdn. Hope this helps with clarity. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of David Lang Sent: Friday, June 21, 2013 3:06 PM To: rsyslog-users Subject: Re: [rsyslog] Changes from update? $source is a reverse DNS lookup of the IP address that the logs come from. what do you get when you do a nslookup of those IP addresses? hostname should be what's in the message, is that no longer the case? David Lang On Fri, 21 Jun 2013, Josh Bitto wrote: > Hello Everyone, > > Well I did an update on my syslog server that uses rsyslog. I went from > version (whatever was current in april) to rsyslog-7.4.1-1.el6.x86_64 as well > as other updates (yum update) when I restarted the service for rsyslog it > changed the nature of two hosts that are logged to their respective > allocations. > > I looked at the config and the rsyslog.conf has not changed at all. > > So my question is with the newest release available from a centos mirror > would there be in any changes that were made that would define how to log > data that comes in? > > Sample of my config that pertains to this issue: > > $template zonedir,"/var/log/hosts/%HOSTNAME%/messages" > $template zonedir1,"/var/log/hosts/%HOSTNAME%/success" > > > if $source == 'zonedirector.it.kcc.lan' and $syslogseverity <= '4' > then{ > *.* ?zonedir > } else { > *.* ?zonedir1 > stop > } > > Under normal circumstances the way that it would be logged is to > /var/log/hosts/hostname/messages /var/log/hosts/hostname/success > > NOW....what is happening is I'm getting an entirely new directory with the > full fqdn as the directory name. > /var/log/hosts/fqdn.at.some.network/messages > > Which includes both message and success logs as outlined in the above config. > > There are only two hosts that are doing this, but both of them are doing the > same thing. The weird part is there are other hosts that are also setup the > exact same way and they are not logging in this manner. Any ideas? > > The reason I have it setup is this way is that I can still log crucial and > non-crucial data and point my splunk server to a crucial file location for > indexing. > > > Joshua Bitto > Information Technologist > KCC > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
