[rsyslog] rsyslog tarball

Rainer Gerhards rgerhards at hq.adiscon.com
Tue Feb 14 09:05:04 CET 2012


> I am not behind NAT..., and some hosts (also RHEL5) from same VLAN is
> logging their hostname just fine...
> If this is taken from the IP-header, all syslog-messages (weither it be
> legacy or rsyslog) will report its actual IP in a non-NAT'ed
> environment. So this situation wouldn't be possible neither if it is
> legacy syslog or rsyslog - am I right ?
> 
> Rainer: Are you able to see, from the last debug output I send you,
> what is happening (think I also send you the hostname/ip of "the
> problem host" directly) ?

I think I didn't get a debug log that shows this problem. At least I have
none in my mail archive.

In any case, in order to track this down quickly, I need a debug log where
the vast majority of traffic is from a system that doesn't appear to be
right. So that I can see which receive is from that system and how it is
processed. It is much harder to try to analyze this is there are several
hosts and I don't know what to look at. Note that I am off to the Fedora
Developer Conference tomorrow and busy there for the rest of the week.

Rainer 
> 
> 
> Br.
> ~maymann
> 
> 
> 2012/2/13 Rainer Gerhards <rgerhards at hq.adiscon.com>
> 
> 
> 
> 	> -----Original Message-----
> 	> From: Michael Maymann [mailto:michael at maymann.org]
> 
> 	> Sent: Monday, February 13, 2012 1:25 PM
> 	> To: Rainer Gerhards
> 	> Cc: rsyslog-users
> 	> Subject: Re: rsyslog tarball
> 	>
> 
> 	> Hi,
> 	>
> 	> Rainer: thanks - the fix you send me seems to work...:-) at-
> least on
> 	> hosts sending its IP... - unfortunately not all legacy syslog
> clients
> 	> do..:-( !
> 	>
> 	> I tried to restart syslog again on the host that caused "???"
> before,
> 	> but I am still unable to find either IP or hostname in the
> log...
> 	>
> 	>
> 	> is FROMHOST based on:
> 	> 1. dns-lookup of the IP inside the transmitted IP-packet ?
> 	>
> 	> or
> 	> 2. dns-lookup of what it states as its IP/hostname inside
> syslog-
> 	> message ?
> 	>
> 
> 
> 	Neither. It's just the remote peer (taken from the IP header).
> It's not taken
> 	from a syslog header field. If you use DNS reverse resolution,
> it's the name,
> 	else the IP address.
> 
> 
> 	>
> 	> I would prefer 1., as this would always be right - expect if
> your in a
> 	> NAT'ed environment...
> 	> Preferably NAT could be auto-detected (could it be: if traffic
> is
> 	> coming from syslog-server LAN or syslog-server default-GW then
> the
> 	> client is not NAT'ed ?) or alternatively
> IPPacketIP/IPPacketFromHost
> 	> (nslookup of IPPacketIP) variables could be added and used if
> it fits
> 	> ones environment... ?
> 
> 
> 	The best route is to make sure all syslogd'd emit proper RFC3164
> or RFC5424
> 	format and simply use HOSTNAME. (you may also look at [1] for NAT
> and
> 	non-rsyslog).
> 
> 	Rainer
> 	[1] http://www.rsyslog.com/article19/
> 
> 	>
> 	>
> 	> Br.
> 	> ~maymann
> 	>
> 	>
> 	> 2012/2/7 Rainer Gerhards <rgerhards at hq.adiscon.com>
> 	>
> 	>
> 	>       That's a regular log file [in RSYSLOG_DebugForm], showing
> the log
> 	> messages as
> 	>       you received them. That's not a debug log that shows
> rsyslog
> 	> processing. To
> 	>       create the later, do the same procedure that you used to
> create
> 	> the content
> 	>       of your mail I received at 8:43am today. *That* was a
> debug log.
> 	> Look at the
> 	>       content of both of your mails and you will immediately
> notice the
> 	> difference.
> 	>
> 	>       Please also keep the mailing list CCed...
> 	>
> 	>
> 	>       Rainer
> 	>
> 	>       > -----Original Message-----
> 	>       > From: Michael Maymann [mailto:michael at maymann.org]
> 	>
> 	>       > Sent: Tuesday, February 07, 2012 10:28 AM
> 	>       > To: Rainer Gerhards
> 	>       > Subject: Re: rsyslog tarball
> 	>       >
> 	>       > it states "Debug line with all properties:" all over
> the
> 	> logfile...
> 	>       > Please tell me how to run this thing...?
> 	>       >
> 	>       > ~maymann
> 	>       >
> 	>       >
> 	>       >
> 	>       > 2012/2/7 Rainer Gerhards <rgerhards at hq.adiscon.com>
> 	>       >
> 	>       >
> 	>       >       I guess you mistook files: this was not a debug
> log but a
> 	> logfile
> 	>       > ;)
> 	>       >
> 	>       >       rainer
> 	>       >
> 	>       >
> 	>       >       > -----Original Message-----
> 	>       >       > From: Michael Maymann
> [mailto:michael at maymann.org]
> 	>       >
> 	>       >       > Sent: Tuesday, February 07, 2012 10:22 AM
> 	>       >       > To: Rainer Gerhards
> 	>       >       > Cc: david at lang.hm; rsyslog-users
> 	>       >       > Subject: Re: rsyslog tarball
> 	>       >       >
> 	>       >       > Just made a shorter run with same info
> inside...
> 	> attached...
> 	>       >       >
> 	>       >       > ~maymann
> 	>       >       >
> 	>       >       >
> 	>       >       > 2012/2/7 Rainer Gerhards
> <rgerhards at hq.adiscon.com>
> 	>       >       >
> 	>       >       >
> 	>       >       >       > -----Original Message-----
> 	>       >       >       > From: Michael Maymann
> 	> [mailto:michael at maymann.org]
> 	>       >       >
> 	>       >       >       > Sent: Tuesday, February 07, 2012 9:46
> AM
> 	>       >       >       > To: Rainer Gerhards
> 	>       >       >       > Cc: david at lang.hm; rsyslog-users
> 	>       >       >       > Subject: Re: rsyslog tarball
> 	>       >       >       >
> 	>       >       >       > Hi Rainer,
> 	>       >       >       >
> 	>       >       >       > it is 30Mb - please provide ftp-
> upload...
> 	>       >       >
> 	>       >       >       Zipped or plain? If not zipped, you can
> probably
> 	> compress
> 	>       > it by
> 	>       >       > 90+%. Anyhow,
> 	>       >       >       the FTP server is
> 	>       >       >
> 	>       >       >       ftp://custservice.adiscon.com/incoming
> 	>       >       >
> 	>       >       >       user anonymous, password whatever you
> like
> 	>       >       >       Note that you can only upload, NOT read.
> Most
> 	>       > importantly, you
> 	>       >       > won't be able
> 	>       >       >       to see the file when the upload is done.
> 	>       >       >
> 	>       >       >       If you can compress and mail the file, I
> can
> 	> possibly
> 	>       > faster
> 	>       >       > access it, just
> 	>       >       >       if that's an option.
> 	>       >       >
> 	>       >       >       Thanks!
> 	>       >       >       Rainer
> 	>       >       >
> 	>       >       >
> 	>       >       >       >
> 	>       >       >       > br.
> 	>       >       >       > ~maymann
> 	>       >       >       >
> 	>       >       >       >
> 	>       >       >       > 2012/2/7 Rainer Gerhards
> 	> <rgerhards at hq.adiscon.com>
> 	>       >       >       >
> 	>       >       >       >
> 	>       >       >       >
> 	>       >       >       >
> 	>       >       >       >       > -----Original Message-----
> 	>       >       >       >       > From: Michael Maymann
> 	>       > [mailto:michael at maymann.org]
> 	>       >       >       >       > Sent: Tuesday, February 07,
> 2012 8:43
> 	> AM
> 	>       >       >       >       > To: Rainer Gerhards;
> david at lang.hm
> 	>       >       >       >       > Subject: Re: rsyslog tarball
> 	>       >       >       >       >
> 	>       >       >       >       > [root at oulog001 log]#
> /usr/sbin/rsyslogd
> 	> -c 6 -d
> 	>       >       >       >       >
> 	>       >       >       >       > 9788.497831529:7f639a331700:
> rsyslogd
> 	> 6.3.7-
> 	>       > postexp1
> 	>       >       > startup,
> 	>       >       >       >       > compatibility mode 6, module
> path '',
> 	>       > cwd:/var/log
> 	>       >       >       >       > 9788.497969104:7f639a331700:
> caller
> 	> requested
> 	>       > object
> 	>       >       > 'net', not
> 	>       >       >       > found
> 	>       >       >       >
> 	>       >       >       >       [snip]
> 	>       >       >       >
> 	>       >       >       >       Sorry, this debug info does not
> contain
> 	> any of
> 	>       > the
> 	>       >       >       > instrumentation I need (no
> 	>       >       >       >       case occurred) I guess you have
> cut that
> 	> off.
> 	>       > Please send
> 	>       >       > me a
> 	>       >       >       > complete file,
> 	>       >       >       >       best as an attachment (working
> with saved
> 	> mail
> 	>       > messages
> 	>       >       > is far
> 	>       >       >       > less nice :)).
> 	>       >       >       >
> 	>       >       >       >       If the debug log is too large to
> mail,
> 	> please let
> 	>       > me
> 	>       >       > know. I can
> 	>       >       >       > provide an
> 	>       >       >       >       anonymous upload-only ftp server
> in that
> 	> case.
> 	>       >       >       >
> 	>       >       >       >       Thanks!
> 	>       >       >       >       Rainer
> 	>       >       >       >
> 	>       >       >       >
> 	>       >       >
> 	>       >       >
> 	>       >       >
> 	>       >
> 	>       >
> 	>       >
> 	>
> 	>
> 	>
> 
> 
> 




More information about the rsyslog mailing list