[rsyslog] Preserve full FQDNs in logs while sending from rsyslog to syslog-ng

Rainer Gerhards rgerhards at hq.adiscon.com
Fri Jan 25 08:01:03 CET 2013


> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of David Lang
> Sent: Friday, January 25, 2013 7:54 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Preserve full FQDNs in logs while sending from rsyslog
> to syslog-ng
> 
> did you also change your default template statement to use your new
> format?

There is some pretty old functionality to remove domain parts from the hostname (it's a sysklogd leftover). I think it is still controlled by command line options (-l, -s?). Also, there is a setting $PreserveFQDN (or so) that must be enabled to not do too much mangling. Finally, some older versions always removed the local domain (I fixed that maybe three years ago, I think, but many distros carry that old versions).

Maybe this is another direction to look at.

HTH
Rainer
> 
> It's also useful to write a log with the RSYSLOG_DebugFormat, it lists all the
> variables that are set so that you can pick which one you want to use.
> 
> also, are you sure that syslog-ng was using the hostname from the message,
> not doing a reverse DNS lookup to get the hostname? (that would be the
> %FROMHOST% variable in rsyslog)
> 
> David Lang
> 
> On Fri, 25 Jan 2013, shadyabhi wrote:
> 
> > Hi David,
> >
> > Thanks for you reply. I added,
> >
> > # A template that resambles traditional syslogd file output:
> > $template TraditionalFormat,"%timegenerated% %HOSTNAME%
> > %syslogtag%%msg:::drop-last-lf%\n"
> >
> > to my already existing rsyslog.conf but it didn't help. Can you please
> > be more specific about how the conf file should look like?
> >
> >
> > On 01/25/2013 12:27 AM, David Lang wrote:
> >> you want to change your default template, the TraditionalFileFormat
> >> matches the old syslog RFC, which specifies that hostnames should be
> shortened.
> >>
> >> David Lang
> >>
> >> On Thu, 24 Jan 2013, shadyabhi wrote:
> >>
> >>> Date: Thu, 24 Jan 2013 18:10:48 +0530
> >>> From: shadyabhi <abhijeet.1989 at gmail.com>
> >>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
> >>> To: rsyslog at lists.adiscon.com
> >>> Subject: [rsyslog] Preserve full FQDNs in logs while sending from
> >>> rsyslog to
> >>>     syslog-ng
> >>>
> >>> Hi,
> >>>
> >>> I am trying to send logs from rsyslog to syslog-ng server via UDP.
> >>> If the hostname for the box is foobar.server.com, I only get foobar in the
> logs.
> >>> For ex, I get
> >>>
> >>> Jan 24 12:31:08 foobar policyd: connection from: 127.0.0.1 port:
> >>> 45594
> >>> slots: 0 of 4096 used
> >>> but what I expected was:
> >>> Jan 24 12:31:08 foobar.server.com policyd: connection from:
> >>> 127.0.0.1
> >>> port: 45594 slots: 0 of 4096 used
> >>>
> >>> My rsyslog.conf:
> >>>
> >>> $ModLoad imuxsock
> >>> $ModLoad imklog
> >>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> >>> $IncludeConfig /etc/rsyslog.d/*.conf $PreserveFQDN on
> >>> *.info;mail.none;authpriv.none;cron.none /var/log/messages
> >>> authpriv.* /var/log/secure
> >>> mail.* -/var/log/maillog
> >>> cron.* /var/log/cron
> >>> *.emerg                                                 *
> >>> uucp,news.crit /var/log/spooler
> >>> local7.* /var/log/boot.log
> >>> @syslog.server.com:514
> >>>
> >>> And my syslog-ng.conf looks like: http://sprunge.us/OUOL
> >>>
> >>> Also, I want to point out that sending logs from syslog to syslog-ng
> >>> works perfectly.
> >>>
> >>>
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> >> you DON'T LIKE THAT.
> >
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond
> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.


More information about the rsyslog mailing list