El jue, 7 oct 2021 a las 14:27, Derek Atkins (<[email protected]>) escribió:
>
> Good morning,
>
> Indeed, this is what appears to be the case.
>
> # hostname arm-host.local
> # /etc/init.d/S01rsyslogd restart
> Stopping rsyslogd: OK
> Starting rsyslogd: OK
> # tail /var/log/myhostname
> 127/n127/arm-host/n#
>
> So now the question is why getddrinfo() is returning the wrong info?
I would strongly tend to say that's a question for the ulibc team.
Rainer
>
> -derek
>
> On Thu, October 7, 2021 8:22 am, Rainer Gerhards wrote:
> > ah, nah.. This could happen:
> >
> > gethostname() returns "arm-host".
> >
> > We see a non-FQDN, so it is not a "real" name and name resolution is
> > enabled. Then we call getaddrinfo("arm-host", ...), which seems to
> > return "127.0.0.1". This means the host "arm-host" is not properly
> > resolved. To prove this is the point, set hostname to
> > "arm-host.localhost" - due to the dot it now is a FQDN and so the name
> > resolution should not be done.
> >
> > Rainer
> >
> > El jue, 7 oct 2021 a las 14:16, Rainer Gerhards
> > (<[email protected]>) escribió:
> >>
> >> It is gethostname(). But depending on circumstances DNS is also
> >> involved. In the sample here, "127.0.0.1" being returned, this should
> >> not be the case.
> >>
> >> The prime function used to get the local host name is:
> >> https://github.com/rsyslog/rsyslog/blob/master/runtime/net.c#L1166
> >>
> >> HTH
> >> Rainer
> >>
> >> El jue, 7 oct 2021 a las 0:06, David Lang via rsyslog
> >> (<[email protected]>) escribió:
> >> >
> >> > ok, that confirms that the syscall to get the hostname isn't working
> >> >
> >> > Rainer, what call do we make?
> >> >
> >> > David Lang
> >> >
> >> > On Wed, 6 Oct 2021, Derek Atkins wrote:
> >> >
> >> > > Date: Wed, 6 Oct 2021 16:20:46 -0400
> >> > > From: Derek Atkins <[email protected]>
> >> > > To: David Lang <[email protected]>
> >> > > Cc: [email protected]
> >> > > Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> >> hostname is
> >> > > "127.0.0.1"?
> >> > >
> >> > > David,
> >> > >
> >> > > # cat >> /etc/rsyslog.conf
> >> > > $template foo,"%$myhostname%/n"
> >> > > /var/log/myhostname;foo
> >> > > # /etc/init.d/S01rsyslogd restart
> >> > > Stopping rsyslogd: OK
> >> > > Starting rsyslogd: OK
> >> > > # tail /var/log/myhostname
> >> > > 127/n#
> >> > >
> >> > > -derek
> >> > >
> >> > > On Wed, October 6, 2021 2:35 pm, David Lang wrote:
> >> > >> $template foo,"%$myhostname%/n"
> >> > >> /var/log/myhostname;foo
> >> > >>
> >> > >> run this for a very short time as it will write a line to this file
> >> for
> >> > >> every
> >> > >> log message that arrives :-)
> >> > >>
> >> > >> David Lang
> >> > >>
> >> > >> On Wed, 6 Oct 2021, Derek Atkins wrote:
> >> > >>
> >> > >>> Date: Wed, 6 Oct 2021 13:45:56 -0400
> >> > >>> From: Derek Atkins <[email protected]>
> >> > >>> To: David Lang <[email protected]>
> >> > >>> Cc: Derek Atkins via rsyslog <[email protected]>
> >> > >>> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> >> hostname
> >> > >>> is
> >> > >>> "127.0.0.1"?
> >> > >>>
> >> > >>> David,
> >> > >>>
> >> > >>> I am happy to revert back to the uclibc installation and feed you
> >> data,
> >> > >>> if
> >> > >>> you can give me what to copy-and-paste into my rsyslogd.conf file?
> >> > >>>
> >> > >>> -derek
> >> > >>>
> >> > >>> On Wed, October 6, 2021 1:43 pm, David Lang wrote:
> >> > >>>> I believe that rsyslog uses the gethostbyname() call to convert
> >> the IP
> >> > >>>> to
> >> > >>>> name
> >> > >>>>
> >> > >>>> it would also be interesting to create a custom templete with
> >> > >>>> %$myhostname% in
> >> > >>>> it and see what that returns.
> >> > >>>>
> >> > >>>> I'm not sure if in this case, rsyslog is seeing that there is no
> >> > >>>> hostname
> >> > >>>> in the
> >> > >>>> message and using $myhostname (and that is wrong) or if it's
> >> trying to
> >> > >>>> resolve
> >> > >>>> 127.0.0.1 and that's failing (I suspect that it's the $myhostname
> >> > >>>> that's
> >> > >>>> wrong)
> >> > >>>>
> >> > >>>> If we can identify what's happening, we can then try to create a
> >> fix.
> >> > >>>> It
> >> > >>>> would
> >> > >>>> be nice to support non-glibc builds
> >> > >>>>
> >> > >>>> David Lang
> >> > >>>>
> >> > >>>>
> >> > >>>> On Wed, 6 Oct 2021, Derek Atkins via rsyslog wrote:
> >> > >>>>
> >> > >>>>> I just rebuilt the Arm platform with GLibc and.... syslog is
> >> working.
> >> > >>>>> So I will go and blame uclibc for the bug.
> >> > >>>>>
> >> > >>>>> Thank you for getting me to look more closely (and pointing out
> >> that
> >> > >>>>> the
> >> > >>>>> issue is that rsyslogd was not getting a valid hostname).
> >> > >>>>>
> >> > >>>>> Thanks all!
> >> > >>>>>
> >> > >>>>> -derek
> >> > >>>>>
> >> > >>>>> On Wed, October 6, 2021 8:36 am, Derek Atkins via rsyslog wrote:
> >> > >>>>>> Good morning,
> >> > >>>>>>
> >> > >>>>>> Thank you for your help so far.
> >> > >>>>>>
> >> > >>>>>> I just wanted to add one more piece of data, on my other host
> >> > >>>>>> (compiled
> >> > >>>>>> in
> >> > >>>>>> the same way from the same source in the same BuildRoot manner,
> >> but
> >> > >>>>>> on
> >> > >>>>>> a
> >> > >>>>>> different platform), I get what I would expect:
> >> > >>>>>>
> >> > >>>>>> Debug line with all properties:
> >> > >>>>>> FROMHOST: 'nios2', fromhost-ip: '127.0.0.1', HOSTNAME: 'nios2',
> >> PRI:
> >> > >>>>>> 46,
> >> > >>>>>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> >> > >>>>>> 'rsyslogd',
> >> > >>>>>> PROCID: '-', MSGID: '-',
> >> > >>>>>> TIMESTAMP: 'Oct 6 12:27:44', STRUCTURED-DATA: '-',
> >> > >>>>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >> x-pid="1780"
> >> > >>>>>> x-info="https://www.rsyslog.com";] start'
> >> > >>>>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >> > >>>>>> x-pid="1780" x-info="https://www.rsyslog.com";] start'
> >> > >>>>>> inputname: imuxsock rawmsg: '<46>Oct 6 12:27:44 rsyslogd:
> >> [origin
> >> > >>>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> >> > >>>>>> x-info="https://www.rsyslog.com";] start'
> >> > >>>>>> $!:
> >> > >>>>>> $.:
> >> > >>>>>> $/:
> >> > >>>>>>
> >> > >>>>>> So ... FROMHOST and HOSTNAME are clearly correct here. So I
> >> guess my
> >> > >>>>>> question is, what APIs are rsyslogd using to try to obtain this
> >> > >>>>>> information? I can certainly compile additional test code and
> >> run it
> >> > >>>>>> if
> >> > >>>>>> necessary. I just find it odd that the *host* knows its name
> >> but
> >> > >>>>>> rsyslogd
> >> > >>>>>> can't figure it out?
> >> > >>>>>>
> >> > >>>>>> Actually, looking a little closer, I noticed that I'm using
> >> uclibc on
> >> > >>>>>> the
> >> > >>>>>> arm platform (the broken one), but glibc on the nios2. I
> >> wonder if
> >> > >>>>>> this
> >> > >>>>>> is the issue?
> >> > >>>>>>
> >> > >>>>>> -derek
> >> > >>>>>>
> >> > >>>>>> On Tue, October 5, 2021 9:13 pm, Derek Atkins via rsyslog
> >> wrote:
> >> > >>>>>>> As I said in my OP:
> >> > >>>>>>>
> >> > >>>>>>> # hostname
> >> > >>>>>>> arm-host
> >> > >>>>>>>
> >> > >>>>>>> and from this query:
> >> > >>>>>>>
> >> > >>>>>>> # cat /etc/hosts
> >> > >>>>>>> 127.0.0.1 localhost
> >> > >>>>>>> 127.0.1.1 arm-host
> >> > >>>>>>>
> >> > >>>>>>>
> >> > >>>>>>> However, as I also stated in my OP, I another another machine
> >> on a
> >> > >>>>>>> nios2
> >> > >>>>>>> with the exact same configuration and there the log messages
> >> say the
> >> > >>>>>>> correct hostname.
> >> > >>>>>>>
> >> > >>>>>>> -derek
> >> > >>>>>>>
> >> > >>>>>>> On Tue, October 5, 2021 8:52 pm, David Lang wrote:
> >> > >>>>>>>> what is in /etc/hosts and what do you get if you run the
> >> command
> >> > >>>>>>>> hostname?
> >> > >>>>>>>>
> >> > >>>>>>>> rsyslog gets fromhost by doing a name lookup of the
> >> fromhost-ip
> >> > >>>>>>>>
> >> > >>>>>>>> the log message you received (as seen by the rawmsg: section)
> >> does
> >> > >>>>>>>> not
> >> > >>>>>>>> provide a
> >> > >>>>>>>> hostname (which could have been the problem)
> >> > >>>>>>>>
> >> > >>>>>>>> so based on this, the problem is with name resolution, which
> >> should
> >> > >>>>>>>> start
> >> > >>>>>>>> with
> >> > >>>>>>>> /etc/hosts and hostname
> >> > >>>>>>>>
> >> > >>>>>>>> David Lang
> >> > >>>>>>>>
> >> > >>>>>>>> On Tue, 5 Oct 2021, Derek Atkins wrote:
> >> > >>>>>>>>
> >> > >>>>>>>>> Date: Tue, 5 Oct 2021 20:28:34 -0400
> >> > >>>>>>>>> From: Derek Atkins <[email protected]>
> >> > >>>>>>>>> To: David Lang <[email protected]>
> >> > >>>>>>>>> Cc: [email protected]
> >> > >>>>>>>>> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname
> >> is
> >> > >>>>>>>>> "127.0.0.1"?
> >> > >>>>>>>>>
> >> > >>>>>>>>> Hi,
> >> > >>>>>>>>>
> >> > >>>>>>>>> Thank you for the quick response.
> >> > >>>>>>>>>
> >> > >>>>>>>>> The logging here is all done locally, and the issue is in
> >> EVERY
> >> > >>>>>>>>> log
> >> > >>>>>>>>> message. The source is local (a call to vsyslog() in an
> >> > >>>>>>>>> application),
> >> > >>>>>>>>> or
> >> > >>>>>>>>> even just a call to "logger". Here is the resulting log
> >> message
> >> > >>>>>>>>> from
> >> > >>>>>>>>> rsyslogd starting up:
> >> > >>>>>>>>>
> >> > >>>>>>>>> Debug line with all properties:
> >> > >>>>>>>>> FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127',
> >> PRI:
> >> > >>>>>>>>> 46,
> >> > >>>>>>>>> syslogtag 'syslog:', programname: 'syslog', APP-NAME:
> >> 'syslog',
> >> > >>>>>>>>> PROCID:
> >> > >>>>>>>>> '-', MSGID: '-',
> >> > >>>>>>>>> TIMESTAMP: 'Oct 6 00:14:18', STRUCTURED-DATA: '-',
> >> > >>>>>>>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >> > >>>>>>>>> x-pid="17368"
> >> > >>>>>>>>> x-info="https://www.rsyslog.com";] start'
> >> > >>>>>>>>> escaped msg: ' [origin software="rsyslogd"
> >> swVersion="8.2010.0"
> >> > >>>>>>>>> x-pid="17368" x-info="https://www.rsyslog.com";] start'
> >> > >>>>>>>>> inputname: imuxsock rawmsg: '<46>Oct 6 00:14:18 syslog:
> >> [origin
> >> > >>>>>>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >> > >>>>>>>>> x-info="https://www.rsyslog.com";] start'
> >> > >>>>>>>>> $!:
> >> > >>>>>>>>> $.:
> >> > >>>>>>>>> $/:
> >> > >>>>>>>>>
> >> > >>>>>>>>> So... no clue where "FROMHOST" or "HOSTNAME" are coming from
> >> here,
> >> > >>>>>>>>> but
> >> > >>>>>>>>> my
> >> > >>>>>>>>> guess that's the problem?
> >> > >>>>>>>>>
> >> > >>>>>>>>> I can run the same config on the nios2 if you want to see
> >> what it
> >> > >>>>>>>>> says,
> >> > >>>>>>>>> but my guess is that FROMHOST and HOSTNAME are going to both
> >> be
> >> > >>>>>>>>> "nios2"
> >> > >>>>>>>>> instead of "127".
> >> > >>>>>>>>>
> >> > >>>>>>>>> The contents of /etc/hosts is effectively the same on both
> >> > >>>>>>>>> machines
> >> > >>>>>>>>> (the
> >> > >>>>>>>>> one that works correctly and this one).
> >> > >>>>>>>>>
> >> > >>>>>>>>> Thanks,
> >> > >>>>>>>>>
> >> > >>>>>>>>> -derek
> >> > >>>>>>>>>
> >> > >>>>>>>>> On Tue, October 5, 2021 6:16 pm, David Lang wrote:
> >> > >>>>>>>>>> please log with the template RSYSLOG_DebugFormat so that we
> >> can
> >> > >>>>>>>>>> see
> >> > >>>>>>>>>> exactly what
> >> > >>>>>>>>>> rsyslog is being sent for a problem message.
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> David Lang
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:
> >> > >>>>>>>>>>
> >> > >>>>>>>>>>> Date: Tue, 5 Oct 2021 15:58:07 -0400
> >> > >>>>>>>>>>> From: Derek Atkins via rsyslog <[email protected]>
> >> > >>>>>>>>>>> To: [email protected]
> >> > >>>>>>>>>>> Cc: Derek Atkins <[email protected]>
> >> > >>>>>>>>>>> Subject: [rsyslog] RSyslog thinks my machine's hostname is
> >> > >>>>>>>>>>> "127.0.0.1"?
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> Hi,
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> I'm using rsyslog in a BuildRoot environment. I've built
> >> it on
> >> > >>>>>>>>>>> two
> >> > >>>>>>>>>>> different platforms (nios2 and arm). The Nios2 platform
> >> works
> >> > >>>>>>>>>>> great.
> >> > >>>>>>>>>>> However, on the Arm platform, rsyslog seems to think the
> >> local
> >> > >>>>>>>>>>> hostname
> >> > >>>>>>>>>>> is
> >> > >>>>>>>>>>> "127.0.0.1". Why do I think that? Well,
> >> /var/log/messages
> >> > >>>>>>>>>>> contains:
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> Oct 5 19:34:25 127 syslog: [origin software="rsyslogd"
> >> > >>>>>>>>>>> swVersion="8.2010.0" x-pid="8080"
> >> > >>>>>>>>>>> x-info="https://www.rsyslog.com";]
> >> > >>>>>>>>>>> start
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> Notice the "127" in there? That's where the "hostname" is
> >> > >>>>>>>>>>> supposed
> >> > >>>>>>>>>>> to
> >> > >>>>>>>>>>> be.
> >> > >>>>>>>>>>> So if for some reason it thinks the FQDN is an IP address,
> >> that
> >> > >>>>>>>>>>> would
> >> > >>>>>>>>>>> explain why this is doing that. But that's weird,
> >> because:
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> # hostname
> >> > >>>>>>>>>>> arm-host
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> Moreover, if I compile and run the code to execute a
> >> > >>>>>>>>>>> "gethostbyname()"
> >> > >>>>>>>>>>> it
> >> > >>>>>>>>>>> also returns "arm-host". So I have no idea where it's
> >> getting
> >> > >>>>>>>>>>> the
> >> > >>>>>>>>>>> idea
> >> > >>>>>>>>>>> that the hostname/FQDN is an IP Address.
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> I'll note that on the Nios2 this works as expected:
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> Sep 30 19:28:41 nios2 rsyslogd: [origin
> >> software="rsyslogd"
> >> > >>>>>>>>>>> swVersion="8.2010.0" x-pid="830"
> >> > >>>>>>>>>>> x-info="https://www.rsyslog.com";]
> >> > >>>>>>>>>>> start
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> I'll say this is the same version of rsyslog on both
> >> systems,
> >> > >>>>>>>>>>> built
> >> > >>>>>>>>>>> with
> >> > >>>>>>>>>>> the same sources, and (ostensibly) with the same
> >> build-time, and
> >> > >>>>>>>>>>> definitely the same run-time configurations.
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> I'm just at a loss for why rsyslog might be doing this,
> >> and I'm
> >> > >>>>>>>>>>> not
> >> > >>>>>>>>>>> sure
> >> > >>>>>>>>>>> where else to look.
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> So I'm hoping you experts might be able to help me?
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> Thanks!
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> -derek
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>
> >> > >>>>>>>>>
> >> > >>>>>>>>>
> >> > >>>>>>>>>
> >> > >>>>>>>>
> >> > >>>>>>>
> >> > >>>>>>>
> >> > >>>>>>> --
> >> > >>>>>>> Derek Atkins 617-623-3745
> >> > >>>>>>> [email protected] www.ihtfp.com
> >> > >>>>>>> Computer and Internet Security Consultant
> >> > >>>>>>>
> >> > >>>>>>> _______________________________________________
> >> > >>>>>>> rsyslog mailing list
> >> > >>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > >>>>>>> http://www.rsyslog.com/professional-services/
> >> > >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> > >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
> >> by a
> >> > >>>>>>> myriad
> >> > >>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >> POST if
> >> > >>>>>>> you
> >> > >>>>>>> DON'T LIKE THAT.
> >> > >>>>>>>
> >> > >>>>>>
> >> > >>>>>>
> >> > >>>>>> --
> >> > >>>>>> Derek Atkins 617-623-3745
> >> > >>>>>> [email protected] www.ihtfp.com
> >> > >>>>>> Computer and Internet Security Consultant
> >> > >>>>>>
> >> > >>>>>> _______________________________________________
> >> > >>>>>> rsyslog mailing list
> >> > >>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > >>>>>> http://www.rsyslog.com/professional-services/
> >> > >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> > >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
> >> a
> >> > >>>>>> myriad
> >> > >>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> >> if
> >> > >>>>>> you
> >> > >>>>>> DON'T LIKE THAT.
> >> > >>>>>>
> >> > >>>>>
> >> > >>>>>
> >> > >>>>>
> >> > >>>>
> >> > >>>
> >> > >>>
> >> > >>>
> >> > >>
> >> > >
> >> > >
> >> > >
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com/professional-services/
> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> >> if you DON'T LIKE THAT.
> >
>
>
> --
> Derek Atkins 617-623-3745
> [email protected] www.ihtfp.com
> Computer and Internet Security Consultant
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
