On Mon, Jun 24, 2013 at 6:08 PM, Josh Bitto <[email protected]> wrote:
> I appreciate that and I would like to update to the newer version, but as > of right now I have a lot of other systems tied to this directory setup. I > don't have the time at the moment to reconfigure all of those. We are > ramping up for our next school year and have more pressing projects to get > done. I will be coming back to this though ;) > > my point is that this just fixed some problem related to $PreserveFQDN which seems to be somewhere in your config. If you send me a startup debug log (private mail OK), I can check if I see it or if there actually is a prolem with the patch. Rainer > Josh > > > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Rainer Gerhards > Sent: Monday, June 24, 2013 9:05 AM > To: rsyslog-users > Subject: Re: [rsyslog] Changes from update? > > On Mon, Jun 24, 2013 at 6:03 PM, Josh Bitto <[email protected]> > wrote: > > > Thanks Rainer, > > > > I actually reverted back to the previous version and can confirm it. > > It started logging the initial way that it has been. So I think I will > > keep with that version for now. > > > > > TBH I don't think that's a very good idea, as you won't see any updates > for that version... > > Rainer > > > -----Original Message----- > > From: [email protected] [mailto: > > [email protected]] On Behalf Of Rainer Gerhards > > Sent: Monday, June 24, 2013 8:46 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] Changes from update? > > > > On Mon, Jun 24, 2013 at 5:26 PM, Josh Bitto <[email protected]> > > wrote: > > > > > David, > > > > > > I looked at my rsyslog.conf and there are no functions that I can > > > find for the preservefqdn. I can send a copy of my config if you want. > > > Anywho I can talk with the admin that handles those two systems and > > > see if he made any changes that could support your theory. > > > > > > > > The ChangeLog tells that in 7.3.11 there was a bugfix for FQDN's not > > being properly handled. It claims this bug: > > http://bugzilla.adiscon.com/show_bug.cgi?id=426 > > > > Sounds like this is related. > > > > Rainer > > > > > > > > > > > > > > -----Original Message----- > > > From: [email protected] [mailto: > > > [email protected]] On Behalf Of David Lang > > > Sent: Friday, June 21, 2013 4:35 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] Changes from update? > > > > > > On Fri, 21 Jun 2013, Josh Bitto wrote: > > > > > > > > > > > Doing a reverse lookup I get the entire fqdn....which has always > > > > been > > > the case for any reverse lookup. > > > > > > > > For rsyslog that hasn't been the case. When I finally put rsyslog > > > > into > > > production the host names would come up with generic names. NOT the > > > fqdn which I was fine with that. > > > > > > > > Some more information to help shed light on this.... > > > > > > > > > > > > On May 30th I updated from > > > > Updated rsyslog-7.2.6-3.el6.x86_64 TO 7.2.7-1.el6.x86_64 > > > via yum update > > > > > > > > Today I updated from > > > > Updated rsyslog-7.2.7-1.el6.x86_64 TO 7.4.1-1.el6.x86_64 > > > via yum update > > > > > > > > So up until today the way that rsyslog was handling the host names > > > > would > > > be like this. > > > > > > > > If my fqdn was server1.test.domain.lan then it would put it in a > > > > folder labeled server1 As of the change it goes to a folder with > > > > the > > > full fqdn. > > > > > > Ok, that does help. There is a config option called preservefqdn, it > > > sounds like it's gotten turned on. > > > > > > this could be a bug, or it could be that you include configs (say > > > from > > > /etc/rsyslog.conf.d) and something in the upgrade dropped a config > > > file in there. > > > > > > check that and also try explicitly turning it off > > > > > > Also, this only strips off the domain part of the name if it's the > > > same as the server, did this change? > > > > > > Another thing to check is to see if the sending system is putting > > > the full name or the short name in the log when it sends it out. > > > > > > The fact that this is only happening for a couple of systems makes > > > me suspicious of the senders have started to put it in the log when > > > they send it. > > > > > > David Lang > > > > > > > Hope this helps with clarity. > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: [email protected] > > > > [mailto:[email protected]] On Behalf Of David Lang > > > > Sent: Friday, June 21, 2013 3:06 PM > > > > To: rsyslog-users > > > > Subject: Re: [rsyslog] Changes from update? > > > > > > > > $source is a reverse DNS lookup of the IP address that the logs > > > > come > > > from. what do you get when you do a nslookup of those IP addresses? > > > > > > > > hostname should be what's in the message, is that no longer the case? > > > > > > > > David Lang > > > > > > > > On Fri, 21 Jun 2013, Josh Bitto wrote: > > > > > > > >> Hello Everyone, > > > >> > > > >> Well I did an update on my syslog server that uses rsyslog. I > > > >> went from > > > version (whatever was current in april) to > > > rsyslog-7.4.1-1.el6.x86_64 as well as other updates (yum update) > > > when I restarted the service for rsyslog it changed the nature of > > > two hosts that are logged to their respective allocations. > > > >> > > > >> I looked at the config and the rsyslog.conf has not changed at all. > > > >> > > > >> So my question is with the newest release available from a centos > > > mirror would there be in any changes that were made that would > > > define how to log data that comes in? > > > >> > > > >> Sample of my config that pertains to this issue: > > > >> > > > >> $template zonedir,"/var/log/hosts/%HOSTNAME%/messages" > > > >> $template zonedir1,"/var/log/hosts/%HOSTNAME%/success" > > > >> > > > >> > > > >> if $source == 'zonedirector.it.kcc.lan' and $syslogseverity <= '4' > > > >> then{ > > > >> *.* ?zonedir > > > >> } else { > > > >> *.* ?zonedir1 > > > >> stop > > > >> } > > > >> > > > >> Under normal circumstances the way that it would be logged is to > > > >> /var/log/hosts/hostname/messages /var/log/hosts/hostname/success > > > >> > > > >> NOW....what is happening is I'm getting an entirely new directory > > > >> with > > > the full fqdn as the directory name. > > > >> /var/log/hosts/fqdn.at.some.network/messages > > > >> > > > >> Which includes both message and success logs as outlined in the > > > >> above > > > config. > > > >> > > > >> There are only two hosts that are doing this, but both of them > > > >> are > > > doing the same thing. The weird part is there are other hosts that > > > are also setup the exact same way and they are not logging in this > manner. > > Any ideas? > > > >> > > > >> The reason I have it setup is this way is that I can still log > > > >> crucial > > > and non-crucial data and point my splunk server to a crucial file > > > location for indexing. > > > >> > > > >> > > > >> Joshua Bitto > > > >> Information Technologist > > > >> KCC > > > >> > > > >> > > > >> > > > >> _______________________________________________ > > > >> rsyslog mailing list > > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > > >> http://www.rsyslog.com/professional-services/ > > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > >> myriad of > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > >> > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: > > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > > myriad of > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: > > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > > you DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE > THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
