[rsyslog] more 5.1.3 errors (fwd)

Rainer Gerhards rgerhards at hq.adiscon.com
Thu Aug 20 14:11:51 CEST 2009


I am now almost 100% sure it is a regression from this change:

http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=86e37f70fe0e9de0e0036299
0c73536843c8fef3

As it looks, I forgot to add the dash as a permitted character in hostnames,
thus it triggers the logic that says "invalid hostname, so it must be a tag".

Will see what I need to fix...

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Thursday, August 20, 2009 1:15 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] more 5.1.3 errors (fwd)
> 
> ah, hold on, I may be able to reproduce an issue with one of the
> messages
> flagged bad :)
> 
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of david at lang.hm
> > Sent: Thursday, August 20, 2009 11:48 AM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] more 5.1.3 errors (fwd)
> >
> > On Thu, 20 Aug 2009, Rainer Gerhards wrote:
> >
> > >> this first example shows the sceibe1b boxes with the incorrect
> > hostname
> > >> and
> > >> system tag (scribe1b is the other rsyslog box, the one showing the
> > >> problem)
> > >>
> > >> # tail scribe1*
> > >> ==> scribe1a-b <==
> > >> <22>Jul 31 21:39:21 192.168.242.126 smelter v0.88.5[23535]:
> > >> n714dL7N010869:
> > >> unable to open S/MIME certificate
> > >> '/var/spool/certs/chris.cournoyer at digitalinsight.com'
> > >>
> > >> 192.168.210.217 192.168.242.126 smelter
> > >>
> > >>
> > >> <22>Jul 31 21:39:21 192.168.242.126 smelter v0.88.5[23535]:
> > >> n714dL7N010869:
> > >> unable to add rcpt 'chris.cournoyer at digitalinsight.com' :: bad
> > >> certificate
> > >>
> > >> 192.168.210.217 192.168.242.126 smelter
> > >
> > >
> > > mmhhh... if "smelter" is the tag, the issue is that fromhost is
> > ending in 217
> > > but the hostname reported is 126? If so, may this box be
> multihomed?
> > rsyslog
> > > (should ;)) use simply what is provided to it, and it looks like
> that
> > was
> > > .126 (to be shown ;)). But first things first: is my understanding
> of
> > the
> > > failure scenario correct?
> >
> > all the 192.168.210.x servers are relays.
> >
> > the template is
> > $template raw,"%rawmsg%\n%fromhost% %hostname% %syslogtag%\n\n\n"
> >
> > so it displays the raw message, then fromhost, hostname, syslogtag
> >
> > the scribe1a messages you quoted here are showing the right thing.
> >
> > these messages from scribe1b-p however do not
> >
> > <29>Jul 31 21:39:21 methane1e-b plug-gw[10538]: disconnect
> > host=/192.168.242.211 destination=179.50.100.127/11282 in=3274
> out=1448
> > duration=0
> >
> > 192.168.210.219 192.168.210.219 methane1e-b
> >
> > as far as I can tell, this is a properly formatted message relayed
> from
> > methane1e-b by scribe1b-p (192.168.210.219 running rsyslog), but
> after
> > being parsed it puts the hostname from the message in the syslog tag
> > and
> > puts the scribe1b-p ip address in the hostname
> >
> >
> > the second problem from my initial e-mail (and the one I mentioned in
> > response to the 5.1.4 release) is pointed out by this portion of my
> > initial e-mail
> >
> > <29>Jul 31 21:33:39 methane1d-b plug-gw[13212]: connect host=
> > /192.168.243.38 destination=179.50.100.130/11074
> >
> > 192.168.210.245 192.168.210.245 methane1d-b
> >
> >
> > in addition to not parsing the message correctly and putting the
> > hostnmae
> > in the syslogtag field, the fromhost is incorrect. this message could
> > only
> > have gotten here by being relayed from the .219 box. the log file on
> > the
> > .245 box (which logs *.* to messages) don't show anything like this,
> > and
> > the methane1d-b box doesn't have any networks in common with the .245
> > box
> >
> >
> > David Lang
> >
> >
> >
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com



More information about the rsyslog mailing list