[rsyslog] more 5.1.3 errors (fwd)

david at lang.hm david at lang.hm
Thu Aug 20 14:15:42 CEST 2009 

On Thu, 20 Aug 2009, Rainer Gerhards wrote:

> I am now almost 100% sure it is a regression from this change:
>
> http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=86e37f70fe0e9de0e0036299
> 0c73536843c8fef3
>
> As it looks, I forgot to add the dash as a permitted character in hostnames,
> thus it triggers the logic that says "invalid hostname, so it must be a tag".
>
> Will see what I need to fix...

that would definantly cause me problems (_lots_ of my hostnames have a 
dash in them)

it doesn't explain the second issue where logs that are relayed through 
one machine end up showing that they were relayed through a different one.

David Lang

> Rainer
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
>> Sent: Thursday, August 20, 2009 1:15 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] more 5.1.3 errors (fwd)
>>
>> ah, hold on, I may be able to reproduce an issue with one of the
>> messages
>> flagged bad :)
>>
>>> -----Original Message-----
>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
>>> Sent: Thursday, August 20, 2009 11:48 AM
>>> To: rsyslog-users
>>> Subject: Re: [rsyslog] more 5.1.3 errors (fwd)
>>>
>>> On Thu, 20 Aug 2009, Rainer Gerhards wrote:
>>>
>>>>> this first example shows the sceibe1b boxes with the incorrect
>>> hostname
>>>>> and
>>>>> system tag (scribe1b is the other rsyslog box, the one showing the
>>>>> problem)
>>>>>
>>>>> # tail scribe1*
>>>>> ==> scribe1a-b <==
>>>>> <22>Jul 31 21:39:21 192.168.242.126 smelter v0.88.5[23535]:
>>>>> n714dL7N010869:
>>>>> unable to open S/MIME certificate
>>>>> '/var/spool/certs/chris.cournoyer at digitalinsight.com'
>>>>>
>>>>> 192.168.210.217 192.168.242.126 smelter
>>>>>
>>>>>
>>>>> <22>Jul 31 21:39:21 192.168.242.126 smelter v0.88.5[23535]:
>>>>> n714dL7N010869:
>>>>> unable to add rcpt 'chris.cournoyer at digitalinsight.com' :: bad
>>>>> certificate
>>>>>
>>>>> 192.168.210.217 192.168.242.126 smelter
>>>>
>>>>
>>>> mmhhh... if "smelter" is the tag, the issue is that fromhost is
>>> ending in 217
>>>> but the hostname reported is 126? If so, may this box be
>> multihomed?
>>> rsyslog
>>>> (should ;)) use simply what is provided to it, and it looks like
>> that
>>> was
>>>> .126 (to be shown ;)). But first things first: is my understanding
>> of
>>> the
>>>> failure scenario correct?
>>>
>>> all the 192.168.210.x servers are relays.
>>>
>>> the template is
>>> $template raw,"%rawmsg%\n%fromhost% %hostname% %syslogtag%\n\n\n"
>>>
>>> so it displays the raw message, then fromhost, hostname, syslogtag
>>>
>>> the scribe1a messages you quoted here are showing the right thing.
>>>
>>> these messages from scribe1b-p however do not
>>>
>>> <29>Jul 31 21:39:21 methane1e-b plug-gw[10538]: disconnect
>>> host=/192.168.242.211 destination=179.50.100.127/11282 in=3274
>> out=1448
>>> duration=0
>>>
>>> 192.168.210.219 192.168.210.219 methane1e-b
>>>
>>> as far as I can tell, this is a properly formatted message relayed
>> from
>>> methane1e-b by scribe1b-p (192.168.210.219 running rsyslog), but
>> after
>>> being parsed it puts the hostname from the message in the syslog tag
>>> and
>>> puts the scribe1b-p ip address in the hostname
>>>
>>>
>>> the second problem from my initial e-mail (and the one I mentioned in
>>> response to the 5.1.4 release) is pointed out by this portion of my
>>> initial e-mail
>>>
>>> <29>Jul 31 21:33:39 methane1d-b plug-gw[13212]: connect host=
>>> /192.168.243.38 destination=179.50.100.130/11074
>>>
>>> 192.168.210.245 192.168.210.245 methane1d-b
>>>
>>>
>>> in addition to not parsing the message correctly and putting the
>>> hostnmae
>>> in the syslogtag field, the fromhost is incorrect. this message could
>>> only
>>> have gotten here by being relayed from the .219 box. the log file on
>>> the
>>> .245 box (which logs *.* to messages) don't show anything like this,
>>> and
>>> the methane1d-b box doesn't have any networks in common with the .245
>>> box
>>>
>>>
>>> David Lang
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

More information about the rsyslog mailing list