On Mon, 2009-01-19 at 17:21 +0800, Patrick Shen wrote: > Hi all, > > Recently I encountered a weird problem. Let me explain below: > > I've a client which is using traditional syslog (NOT rsyslog) app for storing > and forwarding > logs to loghost. > > Here are some "snmpd" logs for example: > ########################################################################################## > Jan 19 10:03:09 athos snmpd[1104]: Connection from UDP: [192.168.23.7]:34289 > Jan 19 10:03:09 athos snmpd[1104]: Received SNMP packet(s) from UDP: > [192.168.23.7]:34289 > Jan 19 10:04:10 athos snmpd[1104]: Connection from UDP: [192.168.23.7]:58181 > Jan 19 10:04:10 athos snmpd[1104]: Received SNMP packet(s) from UDP: > [192.168.23.7]:58181 > Jan 19 10:04:10 athos snmpd[1104]: Connection from UDP: [192.168.23.7]:58181 > *Jan 19 10:04:10 athos last message repeated 25 times* > ########################################################################################## > > Please take into account the last line. > > And I've a loghost host for receiving by using rsyslog v3.20.2 and used > following dynamic templates to > store logs > ########################################################################################## > $template > d_hosts,"/var/rsyslog/HOSTS/%hostname%/%$year%/%$month%/%syslogfacility-text%_%hostname%_%$year%_%$month%_%$day%.log" > ########################################################################################## > > and also opened debug template by following > configures in rsyslog.conf. > ########################################################################################## > $template DEBUG,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', > HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: > '%programname%', APP-NAME: '%APP-NAME%', PROCID: > '%PROCID%', MSGID: '%MSGID%', FACILITY-TEXT: > '%syslogfacility-text%'\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: > '%STRUCTURED-DATA%',\nmsg: '%msg%'\nrawmsg: '%rawmsg%'\n\n" > *.* -/var/rsyslog/debug;DEBUG # or whatever file you like > ########################################################################################## > > I'm monitoring on the server-side now, and checking the last line by raw > message. > ########################################################################################## > Debug line with all properties: > FROMHOST: 'athos', HOSTNAME: '*last*', PRI: 30, > syslogtag 'message', programname: 'message', APP-NAME: 'message', PROCID: > '-', MSGID: '-', FACILITY-TEXT: 'daemon' > TIMESTAMP: 'Jan 19 09:59:09', STRUCTURED-DATA: '-', > msg: ' repeated 25 times' > rawmsg: '<30>last message repeated 25 times' > ########################################################################################## > > Does anyone has any idea why HOSTNAME property is 'last'? (The timestamp is > not important, because these messages occur often).
Yes, unfortunately ;) The reason simply is that sysklogd does emit malformed messages with the "last message repeated..." line. If you look at a packet capture, you'll see that they do not contain a hostname. What you see in your sysklogd log is a hostname that is locally appended. You can do a similar thing in rsyslog with the fromhost property - it does not contain the hostname but rather the system that send the message. In non-relay cases that should be the same, but in relay scenarios you see only the last hop (thus rsyslog by default uses RFC 3164 format). If you need the relay scenario, there is no way around putting rsyslog on the sending systems, too (or fixing sysklogd, which I guess you need to do yourself or it won't happen...). Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
