[rsyslog] Hostname matching with DNS

Rainer Gerhards rgerhards at hq.adiscon.com
Mon Dec 24 20:59:02 CET 2007


Scott,

So now a bit more in-depth: the HOSTNAME is taken form the syslog message, while FROMHOST is the last hope. There is only a difference in relay scenarios - or, like here, based on DNS resolution. This is why you see different values. The point is to match against the same one that is used in the catchall rule.

However, I think the most appropriate thing to do is add a FROMHOST-IP property, which always has the IP address of the sender, no matter if the -x option is given or not.

Would that help?

Rainer 

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com 
> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of 
> Rainer Gerhards
> Sent: Monday, December 24, 2007 7:59 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Hostname matching with DNS
> 
> Really quick: check the HOSTNAME (or so ;)) property. 
> 
> ----- Ursprüngliche Nachricht -----
> Von: "Scott Baker" <bakers at web-ster.com>
> An: "rsyslog-users" <rsyslog at lists.adiscon.com>
> Gesendet: 24.12.07 19:10
> Betreff: [rsyslog] Hostname matching with DNS
> 
> I have a couple host on private IPs 10.x.x.x and thus they have no
> DNS entries. So rather that log the IP in syslog I setup host
> entries for them.
> 
> If I do something like
> 
> :FROMHOST, isequal, "foobar"                -?dialup
> 
> it doesn't match the /etc/hosts entry I have for foobar. If I setup
> a catchall entry that goes to a test log I see the line
> 
> Dec 24 10:06:23 foobar [This is the message]
> 
> So it's logging the hostname like I would expect it to (rsyslog is
> aware of the host entry) but I can't match against it? Unfortunately
> my server is SUPER busy now and I can't put the server in debug mode
> to check what's coming across. Is there another way I could 
> check this?
> 
> -- 
> Scott Baker - Canby Telcom
> RHCE - System Administrator - 503.266.8253
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> 



More information about the rsyslog mailing list