On Mon, Jun 24, 2013 at 6:03 PM, Josh Bitto <[email protected]> wrote:
> Thanks Rainer, > > I actually reverted back to the previous version and can confirm it. It > started logging the initial way that it has been. So I think I will keep > with that version for now. > > TBH I don't think that's a very good idea, as you won't see any updates for that version... Rainer > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Rainer Gerhards > Sent: Monday, June 24, 2013 8:46 AM > To: rsyslog-users > Subject: Re: [rsyslog] Changes from update? > > On Mon, Jun 24, 2013 at 5:26 PM, Josh Bitto <[email protected]> > wrote: > > > David, > > > > I looked at my rsyslog.conf and there are no functions that I can find > > for the preservefqdn. I can send a copy of my config if you want. > > Anywho I can talk with the admin that handles those two systems and > > see if he made any changes that could support your theory. > > > > > The ChangeLog tells that in 7.3.11 there was a bugfix for FQDN's not being > properly handled. It claims this bug: > http://bugzilla.adiscon.com/show_bug.cgi?id=426 > > Sounds like this is related. > > Rainer > > > > > > > > > -----Original Message----- > > From: [email protected] [mailto: > > [email protected]] On Behalf Of David Lang > > Sent: Friday, June 21, 2013 4:35 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Changes from update? > > > > On Fri, 21 Jun 2013, Josh Bitto wrote: > > > > > > > > Doing a reverse lookup I get the entire fqdn....which has always > > > been > > the case for any reverse lookup. > > > > > > For rsyslog that hasn't been the case. When I finally put rsyslog > > > into > > production the host names would come up with generic names. NOT the > > fqdn which I was fine with that. > > > > > > Some more information to help shed light on this.... > > > > > > > > > On May 30th I updated from > > > Updated rsyslog-7.2.6-3.el6.x86_64 TO 7.2.7-1.el6.x86_64 > > via yum update > > > > > > Today I updated from > > > Updated rsyslog-7.2.7-1.el6.x86_64 TO 7.4.1-1.el6.x86_64 > > via yum update > > > > > > So up until today the way that rsyslog was handling the host names > > > would > > be like this. > > > > > > If my fqdn was server1.test.domain.lan then it would put it in a > > > folder labeled server1 As of the change it goes to a folder with the > > full fqdn. > > > > Ok, that does help. There is a config option called preservefqdn, it > > sounds like it's gotten turned on. > > > > this could be a bug, or it could be that you include configs (say from > > /etc/rsyslog.conf.d) and something in the upgrade dropped a config > > file in there. > > > > check that and also try explicitly turning it off > > > > Also, this only strips off the domain part of the name if it's the > > same as the server, did this change? > > > > Another thing to check is to see if the sending system is putting the > > full name or the short name in the log when it sends it out. > > > > The fact that this is only happening for a couple of systems makes me > > suspicious of the senders have started to put it in the log when they > > send it. > > > > David Lang > > > > > Hope this helps with clarity. > > > > > > > > > > > > -----Original Message----- > > > From: [email protected] > > > [mailto:[email protected]] On Behalf Of David Lang > > > Sent: Friday, June 21, 2013 3:06 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] Changes from update? > > > > > > $source is a reverse DNS lookup of the IP address that the logs come > > from. what do you get when you do a nslookup of those IP addresses? > > > > > > hostname should be what's in the message, is that no longer the case? > > > > > > David Lang > > > > > > On Fri, 21 Jun 2013, Josh Bitto wrote: > > > > > >> Hello Everyone, > > >> > > >> Well I did an update on my syslog server that uses rsyslog. I went > > >> from > > version (whatever was current in april) to rsyslog-7.4.1-1.el6.x86_64 > > as well as other updates (yum update) when I restarted the service for > > rsyslog it changed the nature of two hosts that are logged to their > > respective allocations. > > >> > > >> I looked at the config and the rsyslog.conf has not changed at all. > > >> > > >> So my question is with the newest release available from a centos > > mirror would there be in any changes that were made that would define > > how to log data that comes in? > > >> > > >> Sample of my config that pertains to this issue: > > >> > > >> $template zonedir,"/var/log/hosts/%HOSTNAME%/messages" > > >> $template zonedir1,"/var/log/hosts/%HOSTNAME%/success" > > >> > > >> > > >> if $source == 'zonedirector.it.kcc.lan' and $syslogseverity <= '4' > > >> then{ > > >> *.* ?zonedir > > >> } else { > > >> *.* ?zonedir1 > > >> stop > > >> } > > >> > > >> Under normal circumstances the way that it would be logged is to > > >> /var/log/hosts/hostname/messages /var/log/hosts/hostname/success > > >> > > >> NOW....what is happening is I'm getting an entirely new directory > > >> with > > the full fqdn as the directory name. > > >> /var/log/hosts/fqdn.at.some.network/messages > > >> > > >> Which includes both message and success logs as outlined in the > > >> above > > config. > > >> > > >> There are only two hosts that are doing this, but both of them are > > doing the same thing. The weird part is there are other hosts that are > > also setup the exact same way and they are not logging in this manner. > Any ideas? > > >> > > >> The reason I have it setup is this way is that I can still log > > >> crucial > > and non-crucial data and point my splunk server to a crucial file > > location for indexing. > > >> > > >> > > >> Joshua Bitto > > >> Information Technologist > > >> KCC > > >> > > >> > > >> > > >> _______________________________________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> http://www.rsyslog.com/professional-services/ > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > >> of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > >> > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > > of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE > THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
