[rsyslog] last message repeated n times from remote hosts

Mikolaj Kucharski mikolaj at kucharski.name
Thu Mar 25 22:08:43 CET 2010 

Any comments?

On Wed, Feb 10, 2010 at 12:02:30PM +0000, Mikolaj Kucharski wrote:
> Hi,
> 
> I have few Linux based machines with sysklogd installed, and I have
> central syslog server based on CentOS 5 with rsyslog-2.0.6-1.el5.
> 
> I have issue with missing hostname when sysklog sends "last message
> repeated N times" over the wire to rsyslog server.
> 
> Let's have a look. I used logger(1) to repeatedly sent one message few
> times followed by one different message. Here is what I see in the log
> file on my central rsyslog server:
> 
> Feb 10 11:39:46 10.101.43.124 root: remote test start
> Feb 10 11:39:54 last message repeated 14 times
> Feb 10 11:39:54 10.101.43.124 root: remote test end
> 
> 
> and here is tcpdump(8) log from the source (10.101.43.124) machine:
> 
> 
> 11:39:46.642297 IP 10.101.43.124.syslog > 10.101.40.116.syslog: SYSLOG user.notice, length: 28
>         0x0000:  4500 0038 0000 4000 4011 d1fb 0a65 2b7c  E..8.. at .@....e+|
>         0x0010:  0a65 2874 0202 0202 0024 68ef 3c31 333e  .e(t.....$h.<13>
>         0x0020:  726f 6f74 3a20 7265 6d6f 7465 2074 6573  root:.remote.tes
>         0x0030:  7420 7374 6172 740a                      t.start.
> 11:39:54.904820 IP 10.101.43.124.syslog > 10.101.40.116.syslog: SYSLOG user.notice, length: 35
>         0x0000:  4500 003f 0000 4000 4011 d1f4 0a65 2b7c  E..?.. at .@....e+|
>         0x0010:  0a65 2874 0202 0202 002b 68f6 3c31 333e  .e(t.....+h.<13>
>         0x0020:  6c61 7374 206d 6573 7361 6765 2072 6570  last.message.rep
>         0x0030:  6561 7465 6420 3134 2074 696d 6573 0a    eated.14.times.
> 11:39:54.904826 IP 10.101.43.124.syslog > 10.101.40.116.syslog: SYSLOG user.notice, length: 26
>         0x0000:  4500 0036 0000 4000 4011 d1fd 0a65 2b7c  E..6.. at .@....e+|
>         0x0010:  0a65 2874 0202 0202 0022 68ed 3c31 333e  .e(t....."h.<13>
>         0x0020:  726f 6f74 3a20 7265 6d6f 7465 2074 6573  root:.remote.tes
>         0x0030:  7420 656e 640a                           t.end.
> 
> 
> I searched the list, and saw a comment which say the fault is on the
> sysklogd end as it never sends hostname in the repeated-n-times packet,
> but from above I cannot see that it ever sends the packet with hostname,
> so I think the issues is on rsyslog side, and not on the sysklogd.
> 
> Could someone shed some light on my issue, as I would like to see all
> the time the source IP or hostname of incomming messages to rsyslog
> daemon.
> 
> Is this missing source hostname/IP a bug of rsyslog?
> 
> Is there any way to workaround that?
> 
> 
> Thanks.
> 
> 
> PS1. I cannot change client machines, I cannot reinstall them with
> different syslog implementation, the only machine where I have
> permission to do modifications is central rsyslog server.
> 
> PS2. I know about DNS and RevDNS and yes, above server doesn't have
> revDNS setup.

-- 
best regards
q#

More information about the rsyslog mailing list