[rsyslog] last message repeated n times from remote hosts

Wed, 10 Feb 2010 04:03:09 -0800 

Hi,

I have few Linux based machines with sysklogd installed, and I have
central syslog server based on CentOS 5 with rsyslog-2.0.6-1.el5.

I have issue with missing hostname when sysklog sends "last message
repeated N times" over the wire to rsyslog server.

Let's have a look. I used logger(1) to repeatedly sent one message few
times followed by one different message. Here is what I see in the log
file on my central rsyslog server:

Feb 10 11:39:46 10.101.43.124 root: remote test start
Feb 10 11:39:54 last message repeated 14 times
Feb 10 11:39:54 10.101.43.124 root: remote test end


and here is tcpdump(8) log from the source (10.101.43.124) machine:


11:39:46.642297 IP 10.101.43.124.syslog > 10.101.40.116.syslog: SYSLOG 
user.notice, length: 28
        0x0000:  4500 0038 0000 4000 4011 d1fb 0a65 2b7c  e.....@[email protected]+|
        0x0010:  0a65 2874 0202 0202 0024 68ef 3c31 333e  .e(t.....$h.<13>
        0x0020:  726f 6f74 3a20 7265 6d6f 7465 2074 6573  root:.remote.tes
        0x0030:  7420 7374 6172 740a                      t.start.
11:39:54.904820 IP 10.101.43.124.syslog > 10.101.40.116.syslog: SYSLOG 
user.notice, length: 35
        0x0000:  4500 003f 0000 4000 4011 d1f4 0a65 2b7c  e.....@[email protected]+|
        0x0010:  0a65 2874 0202 0202 002b 68f6 3c31 333e  .e(t.....+h.<13>
        0x0020:  6c61 7374 206d 6573 7361 6765 2072 6570  last.message.rep
        0x0030:  6561 7465 6420 3134 2074 696d 6573 0a    eated.14.times.
11:39:54.904826 IP 10.101.43.124.syslog > 10.101.40.116.syslog: SYSLOG 
user.notice, length: 26
        0x0000:  4500 0036 0000 4000 4011 d1fd 0a65 2b7c  e.....@[email protected]+|
        0x0010:  0a65 2874 0202 0202 0022 68ed 3c31 333e  .e(t....."h.<13>
        0x0020:  726f 6f74 3a20 7265 6d6f 7465 2074 6573  root:.remote.tes
        0x0030:  7420 656e 640a                           t.end.


I searched the list, and saw a comment which say the fault is on the
sysklogd end as it never sends hostname in the repeated-n-times packet,
but from above I cannot see that it ever sends the packet with hostname,
so I think the issues is on rsyslog side, and not on the sysklogd.

Could someone shed some light on my issue, as I would like to see all
the time the source IP or hostname of incomming messages to rsyslog
daemon.

Is this missing source hostname/IP a bug of rsyslog?

Is there any way to workaround that?


Thanks.


PS1. I cannot change client machines, I cannot reinstall them with
different syslog implementation, the only machine where I have
permission to do modifications is central rsyslog server.

PS2. I know about DNS and RevDNS and yes, above server doesn't have
revDNS setup.

-- 
best regards
q#
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Reply via email to