Hello! If you can change the remote syslog port on your sender side, then there is another way. You can create a dedicated rsyslog input listening on a port (imptcp/imtcp/imudp), bind it to a ruleset, then assume that every message in the ruleset is from that expected sender (just do not use that port for anything else).
On Sun, 5 May 2024 at 23:58, Alberto via rsyslog <rsyslog@lists.adiscon.com> wrote: > > > El 5/5/24 a las 21:28, David Lang escribió: > > On Sun, 5 May 2024, Alberto via rsyslog wrote: > > > >> I have a host with very old firmware that I cannot update, with > >> syslogd/klogd 1.5.0. > >> > >> I'm sending their logs to remote Rsyslog server (Docker container > >> actually), but when I filter for get files by hostname/source IP..., I > >> don't get real "hostname" or "Fromhost" because it gives me host's IP. > >> This is an debug example: > >> > >> > >> "Debug line with all properties: > >> FROMHOST: '172.22.0.1' > >> HOSTNAME: '172.22.0.1' > >> PROGRAMNAME: 'upsmon' > >> FROMHOST-IP: '172.22.0.1' > >> SYSLOGTAG: 'upsmon[27392]:-' > >> APP-NAME: 'upsmon' > >> PROCID: '27392' > >> MSGID: '-' > >> INPUTNAME: 'imudp' > >> PRI: '27' > >> STRUCTURED-DATA: -', > >> MSG: ' Poll UPS [ups@xxxxxxx] failed - [ups] does not exist on server > >> xxxxxx', > >> RAWMSG: '<27>upsmon[27392]: Poll UPS [ups@xxxxxxxxxx] failed - [ups] > >> does not exist on server xxxxxxx" > > > > so this rawmsg field is showing that the sender is not formatting the > > message correctly, the timestamp and hostname are missing from the > > message. The good news is that they are missing in a way that rsyslog > > can detect that it's malformed, so you aren't getting hostnames like > > 'upsmon' or 'Poll' > > > > fromhost is generated by doing a name lookup of fromhost-ip so if you > > setup a /etc/hosts or DNS entry you can populate fromhost > > > >> I thought about adding an TAG in source host, but I don't know why do > >> it in a syslogd/klogd so old. > > > > the syslogtag is updmon, I don't know what options there are to change > > the formatting on that system, syslogd is very old and I'm surprised > > it's not sending valid messages. > > > >> This is the old source host configuration: > >> > >> root@buffalo:~# cat /etc/syslog.conf > >> #cron.* /var/log/cron > >> #user.info /var/log/linkstation.log > >> *.emerg * > >> #local0.* /var/log/linkstation.log > >> local6.* /var/log/file.smb > >> local7.* /var/log/backup.log > >> *.info;cron.none;user.none;local6.none /var/log/messages > >> > >> $PreserveFQDN on > >> *.* @192.168.1.2 > > > > $preserveFQED is not valid for syslogd that I know of, what happens if > > you remove it? > > > > are there any man pages for syslog.conf on that system? > > > > David Lang > > Hi David, > > This system don't have any MAN. > > I only need filter by source, but all fields (FROMHOST, HOSTNAME, > FROMHOST-IP...) that can give me any information are useless because > appears Docker host IP, not real source host IP, and I cannot populate > fromhost (I've probed, anyway). > > PROGRAMNAME, SYSLOGTAG, APP-NAME... give me app name not source hostname > information. > > I have put "$PreserveFQDN on" directive thinking that it could be > useful. I'll remove it. > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. -- Yury Bushmelev _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
