[rsyslog] more 5.1.3 errors (fwd)
Rainer Gerhards
rgerhards at hq.adiscon.com
Thu Aug 20 13:15:19 CEST 2009
ah, hold on, I may be able to reproduce an issue with one of the messages
flagged bad :)
> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
> Sent: Thursday, August 20, 2009 11:48 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] more 5.1.3 errors (fwd)
>
> On Thu, 20 Aug 2009, Rainer Gerhards wrote:
>
> >> this first example shows the sceibe1b boxes with the incorrect
> hostname
> >> and
> >> system tag (scribe1b is the other rsyslog box, the one showing the
> >> problem)
> >>
> >> # tail scribe1*
> >> ==> scribe1a-b <==
> >> <22>Jul 31 21:39:21 192.168.242.126 smelter v0.88.5[23535]:
> >> n714dL7N010869:
> >> unable to open S/MIME certificate
> >> '/var/spool/certs/chris.cournoyer at digitalinsight.com'
> >>
> >> 192.168.210.217 192.168.242.126 smelter
> >>
> >>
> >> <22>Jul 31 21:39:21 192.168.242.126 smelter v0.88.5[23535]:
> >> n714dL7N010869:
> >> unable to add rcpt 'chris.cournoyer at digitalinsight.com' :: bad
> >> certificate
> >>
> >> 192.168.210.217 192.168.242.126 smelter
> >
> >
> > mmhhh... if "smelter" is the tag, the issue is that fromhost is
> ending in 217
> > but the hostname reported is 126? If so, may this box be multihomed?
> rsyslog
> > (should ;)) use simply what is provided to it, and it looks like that
> was
> > .126 (to be shown ;)). But first things first: is my understanding of
> the
> > failure scenario correct?
>
> all the 192.168.210.x servers are relays.
>
> the template is
> $template raw,"%rawmsg%\n%fromhost% %hostname% %syslogtag%\n\n\n"
>
> so it displays the raw message, then fromhost, hostname, syslogtag
>
> the scribe1a messages you quoted here are showing the right thing.
>
> these messages from scribe1b-p however do not
>
> <29>Jul 31 21:39:21 methane1e-b plug-gw[10538]: disconnect
> host=/192.168.242.211 destination=179.50.100.127/11282 in=3274 out=1448
> duration=0
>
> 192.168.210.219 192.168.210.219 methane1e-b
>
> as far as I can tell, this is a properly formatted message relayed from
> methane1e-b by scribe1b-p (192.168.210.219 running rsyslog), but after
> being parsed it puts the hostname from the message in the syslog tag
> and
> puts the scribe1b-p ip address in the hostname
>
>
> the second problem from my initial e-mail (and the one I mentioned in
> response to the 5.1.4 release) is pointed out by this portion of my
> initial e-mail
>
> <29>Jul 31 21:33:39 methane1d-b plug-gw[13212]: connect host=
> /192.168.243.38 destination=179.50.100.130/11074
>
> 192.168.210.245 192.168.210.245 methane1d-b
>
>
> in addition to not parsing the message correctly and putting the
> hostnmae
> in the syslogtag field, the fromhost is incorrect. this message could
> only
> have gotten here by being relayed from the .219 box. the log file on
> the
> .245 box (which logs *.* to messages) don't show anything like this,
> and
> the methane1d-b box doesn't have any networks in common with the .245
> box
>
>
> David Lang
>
>
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
More information about the rsyslog
mailing list