clone 512663 -1 reassign -1 sysklogd retitle -1 sysklogd does not support hostname in syslog header thanks
Rainer Gerhards wrote: > > >> -----Original Message----- >> From: Michael Biebl [mailto:[email protected]] >> Sent: Thursday, January 22, 2009 7:07 PM >> To: Rainer Gerhards >> Cc: Nikita V. Youshchenko; [email protected] >> Subject: Re: Bug#512663: When logging to remote, hostname gets doubled >> >> Rainer Gerhards wrote: >>> The problem is that sysklogd does not properly parse the >> syslog header >>> and does NOT expect a hostname inside it. sysklogd always uses the >>> hostname from the udp layer, thus the duplication. >> But that sounds more like a bug in sysklogd then rsyslog, right? > Well... Yes and no (see below) > >> Or is adding a hostname to the syslog header non-standard? > No, RFC 3164 specifies that the hostname is present. > >> I quickly tested syslog-ng, and fwiw it also doesn't seem to >> have a problem with >> logs from a rsyslog client (although syslog-ng does not use >> the hostname but the >> ip address from the remote host. So it seems, everyone is >> doing it a bit >> differently) I also tested the other way around: syslog-ng client forwarding messages to sysklogd, and I also get the double hostname entries in the log message. So it seems syslog-ng does it like rsyslog and also adds the hostname to the syslog header. So I cloned this bug report and reassigned it to sysklogd. > That's the big issue: indeed, everybody is doing it different. RFC 3164 > is just an informal document and while it is somewhat blessed by RFC > 3195, we willl not have a real header standard until syslog-protocol is > finally out. While working on it, my research has shown that nothing > than PRI is acutally common across current syslog implementations. So it > is a really bad situation (the rsyslog parser includes a lot of > guesswork for that very same reason). > >> >>> However, it is easy to work around: you need to create a special >>> template (that does not contain the host name) and use that >> template in >>> the forwarding action. Would probably make sense to include a stock >>> template for this purpose... >> Rainer, could you post such a template? > > I can not test right now (being at home without a test machine active), > but it should be > > $template sysklogd, "<%PRI%>%TIMESTAMP% > %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%" > > I have taken that from the stock templates in rsyslogd and just removed > the hostname. It should do the trick. > I'm going to take this $template and add instructions to README.Debian, how to use it when forwarding messages from a rsyslog client to a sysklogd server. Nikita, I hope that is sufficient to address this issue. Cheers, Michael -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
