[rsyslog] Wrongly formatted messages from kernel/netconsole
Dag Wieers
dag at wieers.com
Fri Oct 9 14:38:01 CEST 2009
On Thu, 8 Oct 2009, RB wrote:
> On Thu, Oct 8, 2009 at 13:10, Dag Wieers <dag at wieers.com> wrote:
>
>> Also, I have noticed that our central rsyslog-server (more than 400
>> systems log to it) have directories with names like: Detected/, exiting/,
>> ext3_abort/, EXT3-fs/, journal/, last/, martian/, program/, Remounting/,
>> Restarting/, ... So it is obvious that something is not working as
>> expected coming from the kernel.
>
> More than likely because you're trying to make directories based on
> the %hostname% property, which rsyslog assumes is a specific field.
> With the sloppier daemons (FreeBSD in particular), I've had far more
> luck using the %fromhost-ip% property (as well as the $ system
> properties for timestamps). Of course, that breaks down if you're
> doing relaying, but relying on values the other end sends you to
> create filesystem artifacts is dangerous at best anyway
You are correct, that is exactly what we do. However with rsyslog v2.0.6
it seems there is no %FROMHOST-IP% and the %FROMHOST% property only
contains the IP address. Maybe there is something else I need to do to get
the short hostname from DNS, rather than an IP on rsyslog v2 ?
>> but of course I cannot influence our production kernels to do the right
>> thing. What can I do to have rsyslog accept the "wrong" thing ? :)
>
> Use %fromhost% or %fromhost-ip% to make the directory
> structures/filenames, and make a custom format if you need to handle
> the remaning lack of data (again, timestamp & host). I'm sure there
> are many other ways to approach it, but that's the way I've solved it.
Thanks for the feedback. I hope more people can chime into this.
--
-- dag wieers, dag at wieers.com, http://dag.wieers.com/ --
[Any errors in spelling, tact or fact are transmission errors]
More information about the rsyslog
mailing list