[rsyslog] more 5.1.3 errors (fwd)

david at lang.hm david at lang.hm
Thu Aug 20 11:48:13 CEST 2009 

On Thu, 20 Aug 2009, Rainer Gerhards wrote:

>> this first example shows the sceibe1b boxes with the incorrect hostname
>> and
>> system tag (scribe1b is the other rsyslog box, the one showing the
>> problem)
>>
>> # tail scribe1*
>> ==> scribe1a-b <==
>> <22>Jul 31 21:39:21 192.168.242.126 smelter v0.88.5[23535]:
>> n714dL7N010869:
>> unable to open S/MIME certificate
>> '/var/spool/certs/chris.cournoyer at digitalinsight.com'
>>
>> 192.168.210.217 192.168.242.126 smelter
>>
>>
>> <22>Jul 31 21:39:21 192.168.242.126 smelter v0.88.5[23535]:
>> n714dL7N010869:
>> unable to add rcpt 'chris.cournoyer at digitalinsight.com' :: bad
>> certificate
>>
>> 192.168.210.217 192.168.242.126 smelter
>
>
> mmhhh... if "smelter" is the tag, the issue is that fromhost is ending in 217
> but the hostname reported is 126? If so, may this box be multihomed? rsyslog
> (should ;)) use simply what is provided to it, and it looks like that was
> .126 (to be shown ;)). But first things first: is my understanding of the
> failure scenario correct?

all the 192.168.210.x servers are relays.

the template is
$template raw,"%rawmsg%\n%fromhost% %hostname% %syslogtag%\n\n\n"

so it displays the raw message, then fromhost, hostname, syslogtag

the scribe1a messages you quoted here are showing the right thing.

these messages from scribe1b-p however do not

<29>Jul 31 21:39:21 methane1e-b plug-gw[10538]: disconnect host=/192.168.242.211 destination=179.50.100.127/11282 in=3274 out=1448 duration=0

192.168.210.219 192.168.210.219 methane1e-b

as far as I can tell, this is a properly formatted message relayed from 
methane1e-b by scribe1b-p (192.168.210.219 running rsyslog), but after 
being parsed it puts the hostname from the message in the syslog tag and 
puts the scribe1b-p ip address in the hostname


the second problem from my initial e-mail (and the one I mentioned in 
response to the 5.1.4 release) is pointed out by this portion of my 
initial e-mail

<29>Jul 31 21:33:39 methane1d-b plug-gw[13212]: connect host= /192.168.243.38 destination=179.50.100.130/11074

192.168.210.245 192.168.210.245 methane1d-b


in addition to not parsing the message correctly and putting the hostnmae 
in the syslogtag field, the fromhost is incorrect. this message could only 
have gotten here by being relayed from the .219 box. the log file on the 
.245 box (which logs *.* to messages) don't show anything like this, and 
the methane1d-b box doesn't have any networks in common with the .245 box


David Lang

More information about the rsyslog mailing list