David,
Thanks for your feedback!
I was just reading S6.2.4 of
https://datatracker.ietf.org/doc/html/rfc5424#section-6.2.4 and realize the
sender should have provided the HOSTNAME.
This makes sense (in hindsight). It would place a performance hit on the
rsyslog server if the rsyslog server had to resolve names…
So it seems the sender (Fortinet, in this case) is sending HOSTNAME as an IP,
leading to the issue we’re seeing.
As always, thanks for your help!
Shawn Singh
Systems Architect II | Cloud Platform Services | CSX Technology
904-633-5745
“Ah… It seems I’ve offended two people at once, how fortuitous.” – Wednesday
Addams
From: David Lang <da...@lang.hm>
Date: Friday, July 29, 2022 at 4:21 PM
To: Singh, Radesh <radesh_si...@csx.com>
Cc: rsyslog-users <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] [E] Re: How to view messages
Ok, this is malformed, it does not have a proper timestamp or hostname in the
message (see RFC-3164 for the old format and RFC-5424 for the new format) if
you can fix the sender to properly format the
message, that would be the best option.
Ok, this is malformed, it does not have a proper timestamp or hostname in the
message (see RFC-3164 for the old format and RFC-5424 for the new format)
if you can fix the sender to properly format the message, that would be the best
option.
falling back on fromhost-ip and then looking it up in name resolution is a poor
second, but should work. make sure that you can do a nslookup of the IP
David Lang
On Fri, 29 Jul 2022, Singh, Radesh wrote:
> Date: Fri, 29 Jul 2022 20:13:32 +0000
> From: "Singh, Radesh" <radesh_si...@csx.com>
> To: David Lang <da...@lang.hm>
> Cc: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] [E] Re: How to view messages
>
>
> Here’s a snip from the rawmsg portion:
>
>
>
> rawmsg: '<189>date=2022-07-29 time=13:30:40 devname="FWL-QTSA-P-18F-FVPN-01" devid="FG181FTK21901621"
eventtime=1659115840206155849 tz="-0400" logid="0100040704" type="event" subtype="system"
> level="notice"
>
>
>
> Thanks,
>
>
>
> Shawn Singh
>
> Systems Architect II | Cloud Platform Services | CSX Technology
>
> 904-633-5745
>
>
>
> “Ah… It seems I’ve offended two people at once, how fortuitous.” – Wednesday
Addams
>
>
>
> From: David Lang <da...@lang.hm>
> Date: Friday, July 29, 2022 at 3:27 PM
> To: Singh, Radesh <radesh_si...@csx.com>
> Cc: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] [E] Re: How to view messages
>
> hostname is what is in the message (unless it's malformed) fromhost-ip is the
IP that the box received the message from (if the message is relayed from some
other host, this is the last relay in the
> chain) fromhost is the result of a name lookup
>
> hostname is what is in the message (unless it's malformed)
>
>
>
> fromhost-ip is the IP that the box received the message from (if the message is
>
> relayed from some other host, this is the last relay in the chain)
>
>
>
> fromhost is the result of a name lookup on the receiving machine of fromhost-ip
>
> (it could include DNS, or DNS lookups can be disabled in rsyslog and only do a
>
> /etc/hosts lookup)
>
>
>
> if you can show the rawmsg portion of the debug log (or at least the beginning
>
> of it), I can see if the sender is sending a properly formatted message or if
>
> it's malformed.
>
>
>
> If the sender is sending a properly formed message hostname will be what the
>
> sender put in the message, period.
>
>
>
> David Lang
>
>
>
> On Fri, 29 Jul 2022, Singh, Radesh wrote:
>
>
>
> > Date: Fri, 29 Jul 2022 18:37:13 +0000
>
> > From: "Singh, Radesh" <radesh_si...@csx.com>
>
> > To: David Lang <da...@lang.hm>
>
> > Cc: rsyslog-users <rsyslog@lists.adiscon.com>
>
> > Subject: Re: [rsyslog] [E] Re: How to view messages
>
> >
>
> >
>
> > David,
>
> >
>
> >
>
> >
>
> > I was able to see more of the messages using the DebugFormat, so thank you
so much for that information.
>
> >
>
> >
>
> >
>
> > Riddle me this…
>
> >
>
> > I see that HOSTNAME on a particular message is not the hostname as would be
reported if I did a reverse DNS lookup, but instead is the IP address of the host.
>
> >
>
> >
>
> >
>
> > Why isn’t rsyslog printing the hostname instead of IP?
>
> >
>
> >
>
> >
>
> > Just taking a portion of a message:
>
> >
>
> >
>
> > FROMHOST:
'https://urldefense.com/v3/__http://10.84.180.239__;!!Cboii82wLg!C5nyYUENemOqynaE3ExPTK2-GQI5BoguJynA7YJ8aFFkiuKyf-rUxmlHdwtTDGsg3COtcNMdVhdV9QE$
', fromhost-ip: 'https://urldefense.com/v
3/
>
__https://urldefense.com/v3/__http://10.84.180.239__;!!Cboii82wLg!C5nyYUENemOqynaE3ExPTK2-GQI5BoguJynA7YJ8aFFkiuKyf-rUxmlHdwtTDGsg3COtcNMdVhdV9QE$__;!!Cboii82wLg!GKqhzwPfJQ2ooPbjmPttqH47bx0qzFYBC79QQ
EQtV5iJ-DP_EnUOj5VDKAek2qfR8Xg0fMmSLEYYD-E$ ', HOSTNAME:
'https://urldefense.com/v3/__http://10.84.180.239__;!!Cboii82wLg!C5ny
> YUENemOqynaE3ExPTK2-GQI5BoguJynA7YJ8aFFkiuKyf-rUxmlHdwtTDGsg3COtcNMdVhdV9QE$
', PRI: 189,
>
> >
>
> > syslogtag 'date=2022-07-29', programname: 'date=2022-07-29', APP-NAME:
'date=2022-07-29', PROCID: '-', MSGID: '-',
>
> >
>
> > TIMESTAMP: 'Jul 29 13:30:40',
>
> >
>
> >
>
> >
>
> > If I do a dig -x against the IP listed in FROMHOST/FROMHOST-IP, I get a
name… why isn’t that name being printed in the message?
>
> >
>
> >
>
> >
>
> > BTW, I’m running this version of rsyslog:
>
> > rsyslog-8.24.0-16.el7_5.4.x86_64
>
> >
>
> >
>
> >
>
> > Thanks,
>
> >
>
> >
>
> >
>
> > Shawn Singh
>
> >
>
> > Systems Architect II | Cloud Platform Services | CSX Technology
>
> >
>
> > 904-633-5745
>
> >
>
> >
>
> >
>
> > “Ah… It seems I’ve offended two people at once, how fortuitous.” –
Wednesday Addams
>
> >
>
> >
>
> >
>
> > From: David Lang <da...@lang.hm>
>
> > Date: Thursday, July 28, 2022 at 6:03 PM
>
> > To: Singh, Radesh <radesh_si...@csx.com>
>
> > Cc: rsyslog-users <rsyslog@lists.adiscon.com>
>
> > Subject: Re: [rsyslog] [E] Re: How to view messages
>
> >
>
> > you want the RSYSLOG_DebugFormat for this. properties are things
generated/parsed by rsyslog, not part of the raw message that was received. David Lang
On Thu, 28 Jul 2022, Singh, Radesh wrote: > D
at
> e:
>
> > Thu, 28 Jul 2022 21:04:55 +0000 >
>
> >
>
> > you want the RSYSLOG_DebugFormat for this.
>
> >
>
> >
>
> >
>
> > properties are things generated/parsed by rsyslog, not part of the raw message
>
> >
>
> > that was received.
>
> >
>
> >
>
> >
>
> > David Lang
>
> >
>
> >
>
> >
>
> > On Thu, 28 Jul 2022, Singh, Radesh wrote:
>
> >
>
> >
>
> >
>
> > > Date: Thu, 28 Jul 2022 21:04:55 +0000
>
> >
>
> > > From: "Singh, Radesh" <radesh_si...@csx.com>
>
> >
>
> > > To: rsyslog-users <rsyslog@lists.adiscon.com>, David Lang <da...@lang.hm>
>
> >
>
> > > Subject: Re: [rsyslog] [E] Re: How to view messages
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > I’m trying to see what the value of each property is when rsyslog
receives a message from certain hosts to see if maybe something isn’t being set right.
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > The problem is messages get written to:
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > /var/remote/logs/<IP_ADDRESS>/…
>
> >
>
> > >
>
> >
>
> > > We’d like them to be written to:
>
> >
>
> > >
>
> >
>
> > > /var/remote/logs/<HOSTNAME>/
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > I’ve confirmed that name resolution is successful for the host sending
the message, so I’m wondering if there is something with the message itself where maybe
the message isn’t in the right forma
t.
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > Radesh
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > From: rsyslog <rsyslog-boun...@lists.adiscon.com> on behalf of Singh, Radesh
via rsyslog <rsyslog@lists.adiscon.com>
>
> >
>
> > > Date: Thursday, July 28, 2022 at 4:58 PM
>
> >
>
> > > To: David Lang <da...@lang.hm>, Singh, Radesh via rsyslog
<rsyslog@lists.adiscon.com>
>
> >
>
> > > Cc: Singh, Radesh <radesh_si...@csx.com>
>
> >
>
> > > Subject: Re: [rsyslog] [E] Re: How to view messages
>
> >
>
> > >
>
> >
>
> > > _______________________________________________ rsyslog mailing list
>
> >
>
> > >
https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo/rsyslog__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DcXDNMhA$
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > _______________________________________________
>
> >
>
> > >
>
> >
>
> > > rsyslog mailing list
>
> >
>
> > >
>
> >
>
> > > https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo/rsyslog__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DcXDNMhA$
>
> >
>
> > >
>
> >
>
> > > https://urldefense.com/v3/__http://www.rsyslog.com/professional-services/__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DkJHcmcQ$
>
> >
>
> > >
>
> >
>
> > > What's up with rsyslog? Follow https://urldefense.com/v3/__https://twitter.com/rgerhards__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_ABUX-vjA$
>
> >
>
> > >
>
> >
>
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
> >
>
> > > This email transmission and any accompanying attachments may contain CSX
privileged and confidential or business proprietary information intended only for the
use of the intended addressee. Any
>
> >
>
> > > dissemination, distribution, forwarding, copying, or action taken in
reliance on the contents of this email by anyone other than the intended recipient is
strictly prohibited. If you have receive
d
> th
>
> > is
>
> >
>
> > > email in error please immediately delete it, destroy all copies, and
notify the sender at the above CSX email address.
>
> >
>
> > >
>
> > This email transmission and any accompanying attachments may contain CSX
privileged and confidential or business proprietary information intended only for the
use of the intended addressee. Any
>
> > dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received
th
> is
>
> > email in error please immediately delete it, destroy all copies, and notify
the sender at the above CSX email address.
>
> >
> This email transmission and any accompanying attachments may contain CSX
privileged and confidential or business proprietary information intended only for
the use of the intended addressee. Any
> dissemination, distribution, forwarding, copying, or action taken in reliance
on the contents of this email by anyone other than the intended recipient is
strictly prohibited. If you have received th
is
> email in error please immediately delete it, destroy all copies, and notify
the sender at the above CSX email address.
>
This email transmission and any accompanying attachments may contain CSX
privileged and confidential or business proprietary information intended only
for the use of the intended addressee. Any
dissemination, distribution, forwarding, copying, or action taken in reliance
on the contents of this email by anyone other than the intended recipient is
strictly prohibited. If you have received this
email in error please immediately delete it, destroy all copies, and notify the
sender at the above CSX email address.
