On Fri, 21 Jun 2013, Josh Bitto wrote:
Doing a reverse lookup I get the entire fqdn....which has always been the case
for any reverse lookup.
For rsyslog that hasn't been the case. When I finally put rsyslog into
production the host names would come up with generic names. NOT the fqdn which
I was fine with that.
Some more information to help shed light on this....
On May 30th I updated from
Updated rsyslog-7.2.6-3.el6.x86_64 TO 7.2.7-1.el6.x86_64 via yum
update
Today I updated from
Updated rsyslog-7.2.7-1.el6.x86_64 TO 7.4.1-1.el6.x86_64 via yum
update
So up until today the way that rsyslog was handling the host names would be
like this.
If my fqdn was server1.test.domain.lan then it would put it in a folder labeled
server1
As of the change it goes to a folder with the full fqdn.
Ok, that does help. There is a config option called preservefqdn, it sounds like
it's gotten turned on.
this could be a bug, or it could be that you include configs (say from
/etc/rsyslog.conf.d) and something in the upgrade dropped a config file in
there.
check that and also try explicitly turning it off
Also, this only strips off the domain part of the name if it's the same as the
server, did this change?
Another thing to check is to see if the sending system is putting the full name
or the short name in the log when it sends it out.
The fact that this is only happening for a couple of systems makes me suspicious
of the senders have started to put it in the log when they send it.
David Lang
Hope this helps with clarity.
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David Lang
Sent: Friday, June 21, 2013 3:06 PM
To: rsyslog-users
Subject: Re: [rsyslog] Changes from update?
$source is a reverse DNS lookup of the IP address that the logs come from. what
do you get when you do a nslookup of those IP addresses?
hostname should be what's in the message, is that no longer the case?
David Lang
On Fri, 21 Jun 2013, Josh Bitto wrote:
Hello Everyone,
Well I did an update on my syslog server that uses rsyslog. I went from version
(whatever was current in april) to rsyslog-7.4.1-1.el6.x86_64 as well as other
updates (yum update) when I restarted the service for rsyslog it changed the
nature of two hosts that are logged to their respective allocations.
I looked at the config and the rsyslog.conf has not changed at all.
So my question is with the newest release available from a centos mirror would
there be in any changes that were made that would define how to log data that
comes in?
Sample of my config that pertains to this issue:
$template zonedir,"/var/log/hosts/%HOSTNAME%/messages"
$template zonedir1,"/var/log/hosts/%HOSTNAME%/success"
if $source == 'zonedirector.it.kcc.lan' and $syslogseverity <= '4'
then{
*.* ?zonedir
} else {
*.* ?zonedir1
stop
}
Under normal circumstances the way that it would be logged is to
/var/log/hosts/hostname/messages /var/log/hosts/hostname/success
NOW....what is happening is I'm getting an entirely new directory with the full
fqdn as the directory name.
/var/log/hosts/fqdn.at.some.network/messages
Which includes both message and success logs as outlined in the above config.
There are only two hosts that are doing this, but both of them are doing the
same thing. The weird part is there are other hosts that are also setup the
exact same way and they are not logging in this manner. Any ideas?
The reason I have it setup is this way is that I can still log crucial and
non-crucial data and point my splunk server to a crucial file location for
indexing.
Joshua Bitto
Information Technologist
KCC
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
