[rsyslog] Preserve full FQDNs in logs while sending from rsyslog to syslog-ng

David Lang david at lang.hm
Fri Jan 25 07:54:07 CET 2013


did you also change your default template statement to use your new format?

It's also useful to write a log with the RSYSLOG_DebugFormat, it lists all the 
variables that are set so that you can pick which one you want to use.

also, are you sure that syslog-ng was using the hostname from the message, not 
doing a reverse DNS lookup to get the hostname? (that would be the %FROMHOST% 
variable in rsyslog)

David Lang

On Fri, 25 Jan 2013, shadyabhi wrote:

> Hi David,
>
> Thanks for you reply. I added,
>
> # A template that resambles traditional syslogd file output:
> $template TraditionalFormat,"%timegenerated% %HOSTNAME% 
> %syslogtag%%msg:::drop-last-lf%\n"
>
> to my already existing rsyslog.conf but it didn't help. Can you please be 
> more specific about how the conf file should look like?
>
>
> On 01/25/2013 12:27 AM, David Lang wrote:
>> you want to change your default template, the TraditionalFileFormat matches 
>> the old syslog RFC, which specifies that hostnames should be shortened.
>> 
>> David Lang
>> 
>> On Thu, 24 Jan 2013, shadyabhi wrote:
>> 
>>> Date: Thu, 24 Jan 2013 18:10:48 +0530
>>> From: shadyabhi <abhijeet.1989 at gmail.com>
>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>>> To: rsyslog at lists.adiscon.com
>>> Subject: [rsyslog] Preserve full FQDNs in logs while sending from rsyslog 
>>> to
>>>     syslog-ng
>>> 
>>> Hi,
>>> 
>>> I am trying to send logs from rsyslog to syslog-ng server via UDP. If the 
>>> hostname for the box is foobar.server.com, I only get foobar in the logs. 
>>> For ex, I get
>>> 
>>> Jan 24 12:31:08 foobar policyd: connection from: 127.0.0.1 port: 45594 
>>> slots: 0 of 4096 used
>>> but what I expected was:
>>> Jan 24 12:31:08 foobar.server.com policyd: connection from: 127.0.0.1 
>>> port: 45594 slots: 0 of 4096 used
>>> 
>>> My rsyslog.conf:
>>> 
>>> $ModLoad imuxsock
>>> $ModLoad imklog
>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>> $IncludeConfig /etc/rsyslog.d/*.conf
>>> $PreserveFQDN on
>>> *.info;mail.none;authpriv.none;cron.none /var/log/messages
>>> authpriv.* /var/log/secure
>>> mail.* -/var/log/maillog
>>> cron.* /var/log/cron
>>> *.emerg                                                 *
>>> uucp,news.crit /var/log/spooler
>>> local7.* /var/log/boot.log
>>> @syslog.server.com:514
>>> 
>>> And my syslog-ng.conf looks like: http://sprunge.us/OUOL
>>> 
>>> Also, I want to point out that sending logs from syslog to syslog-ng works 
>>> perfectly.
>>> 
>>> 
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
>> LIKE THAT.
>
>


More information about the rsyslog mailing list