Running rsyslog-3.22.1
NOTE: Windbag alert.. its a bit long.
(And still more windyness in a PS at the end)
I know newer version are available but 3.22.1 is the newest version my
linux distro (gentoo 2010) offers.
Maybe the mechanism that caused the phenomena I observed has changed
in the later versions.
I'm curious to know how rsyslog derives the hostname.
Before explaining the phenomena I noticed, just be clear that this
problem arose strictly from a blunder on my part. So, this is not a
complaint about rsyslog. Just wondering if it points to what could be
a problem.
Due to a blatant blunder on my part, I miss-typed the hosts name
in the /etc/hosts file. At the 127 line I spelled the hosts name wrong.
127.0.0.1 logsrv.local.lan *=>logsvr<=* localhost
The actual name is `logsrv'
logsrv
not logsvr. (I transposed the v and r.)
In this code below from my (no doubt, poorly written) rsyslog.conf
[
This first part contains some fairly standard code. Mostly
unchanged from the default /etc/rsyslog.conf that gets installed.
[ blah ]
]
[then my own code below]
[...]
## write all localhost output to a debug file
$template Ldebug,"/var/log/debug.log"
if \
$source == 'logsrv'\
then -?Ldebug
## write all data from remote hosts to:
## HOSTNAME/HOSTNAME.log for each client
$template RDDF,"/var/log/%hostname%/%hostname%.log"
if \
$source != 'logsrv' \
then -?RDDF
[...]
Note: I used the actual name (logsrv) in the code, since I wasn't sure
which of rsyslogs' variables would contain that info instead of
`localhost' or `0.0.0.0' or `127.0.0.1` ... etc.
And understand that this rsyslog.conf was being used in an
experimental environment while I familiarized myself with rsyslog.
The idea was to direct all localhost log output to /var/log/debug.log
(in addition to the more normal defaults in rsyslog.conf not shown here).
And log data coming from remote clients to /var/log/dynaDIR/dynaFILE
Where DIR and FILE are both named dynamically after the host sending
the log data.
It worked just like I had hoped.
But I accidentally found what might be seen as a weakness in rsyslog.
I'm not experienced enough to really judge something like this. And
not adept enough at reading source code to see what the mechanism is.
Apparently rsyslog preferred the miss-typed name in /etc/hosts over
the name returned by gethostbyname or the newer getaddrinfo, both
appear to be involved in the source code.
With the mistaken spelling in /etc/hosts, rsyslog (correctly) saw the
mistaken name inside `$source' as not matching `logsrv' in my code, so
wrote to:
/var/log/logsvr/logsvr.log
Once I got the typo fixed, rsyslog wrote all that same stuff to
/var/log/debug.log as expected.
So it makes me wonder how robust the mechanism for getting the
localhost name is. rsyslog appears to use gethostbyname and the
newer getaddrinfo.
Further... I'm not sure where cmds like gethostbyname (and similar
ones) get the info either... for all I know they may just grep
/etc/hosts.
I do know that even while I had the mis-spelled name in /etc/hosts, the
`hostname' command still returned the correct name. So the `hostname'
cmd must rely on something else.
At any rate, rsyslog apparently turns to grepping the /etc/hosts
file at some point, since in this case the log output was directed to a
directory and file named after the TYPO in /etc/hosts.
It took me a few minutes to figure out where the bad name was coming
from since the `hostname' cmd returned the correct name (logsrv).
Some linux distros have a special file that tells the OS what its name
is.
On my distro (gentoo linux) it's a file at /etc/conf.d/hostname, that
is dedicated to nothing more than giving the host a name.
On Debian its /etc/hostname
Other distros I've used have a few different ways of getting that
information into play, but I haven't used any linux distros that
relied on /etc/hosts.
Is having rsyslog rely on /etc/hosts as the final arbiter about the
host name a good plan?
ps - two asides:
1) Any suggestions for better code are welcome
2) Can anyone tell me what the significance of the question mark
preceding the log file variable name is:
$template RDDF,"/var/log/%hostname%/%hostname%.log"
if \
$source != 'logsrv' \
then -?RDDF
------
here
I know what the dash sinifies but not the question mark. I just
copied what I saw in the examples and it seems to work.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
