On Sun, 5 May 2024, Alberto via rsyslog wrote:
I have a host with very old firmware that I cannot update, with
syslogd/klogd 1.5.0.
I'm sending their logs to remote Rsyslog server (Docker container
actually), but when I filter for get files by hostname/source IP..., I
don't get real "hostname" or "Fromhost" because it gives me host's IP.
This is an debug example:
"Debug line with all properties:
FROMHOST: '172.22.0.1'
HOSTNAME: '172.22.0.1'
PROGRAMNAME: 'upsmon'
FROMHOST-IP: '172.22.0.1'
SYSLOGTAG: 'upsmon[27392]:-'
APP-NAME: 'upsmon'
PROCID: '27392'
MSGID: '-'
INPUTNAME: 'imudp'
PRI: '27'
STRUCTURED-DATA: -',
MSG: ' Poll UPS [ups@xxxxxxx] failed - [ups] does not exist on server
xxxxxx',
RAWMSG: '<27>upsmon[27392]: Poll UPS [ups@xxxxxxxxxx] failed - [ups]
does not exist on server xxxxxxx"
so this rawmsg field is showing that the sender is not formatting the message
correctly, the timestamp and hostname are missing from the message. The good
news is that they are missing in a way that rsyslog can detect that it's
malformed, so you aren't getting hostnames like 'upsmon' or 'Poll'
fromhost is generated by doing a name lookup of fromhost-ip so if you setup a
/etc/hosts or DNS entry you can populate fromhost
I thought about adding an TAG in source host, but I don't know why do it
in a syslogd/klogd so old.
the syslogtag is updmon, I don't know what options there are to change the
formatting on that system, syslogd is very old and I'm surprised it's not
sending valid messages.
This is the old source host configuration:
root@buffalo:~# cat /etc/syslog.conf
#cron.* /var/log/cron
#user.info /var/log/linkstation.log
*.emerg *
#local0.* /var/log/linkstation.log
local6.* /var/log/file.smb
local7.* /var/log/backup.log
*.info;cron.none;user.none;local6.none /var/log/messages
$PreserveFQDN on
*.* @192.168.1.2
$preserveFQED is not valid for syslogd that I know of, what happens if you
remove it?
are there any man pages for syslog.conf on that system?
David Lang
Any Idea?
Best Regards,
Alberto
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
