I need to re-read this more careful, but for now let me say that rsyslog does not touch /etc/hosts at all. It exlusively relies on what is returned by the OS. But the "source" property is not locally generated, it contains whatever the sender placed into the relevant field.
Please also see this article: http://www.rsyslog.com/doc-syslog_parsing.html Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Harry Putnam > Sent: Monday, March 01, 2010 4:02 AM > To: [email protected] > Subject: [rsyslog] How rsyslog derives hostname > > Running rsyslog-3.22.1 > > NOTE: Windbag alert.. its a bit long. > (And still more windyness in a PS at the end) > > I know newer version are available but 3.22.1 is the newest version my > linux distro (gentoo 2010) offers. > > Maybe the mechanism that caused the phenomena I observed has changed > in the later versions. > > I'm curious to know how rsyslog derives the hostname. > > Before explaining the phenomena I noticed, just be clear that this > problem arose strictly from a blunder on my part. So, this is not a > complaint about rsyslog. Just wondering if it points to what could be > a problem. > > Due to a blatant blunder on my part, I miss-typed the hosts name > in the /etc/hosts file. At the 127 line I spelled the hosts name > wrong. > > 127.0.0.1 logsrv.local.lan *=>logsvr<=* localhost > > The actual name is `logsrv' > logsrv > not logsvr. (I transposed the v and r.) > > In this code below from my (no doubt, poorly written) rsyslog.conf > > [ > This first part contains some fairly standard code. Mostly > unchanged from the default /etc/rsyslog.conf that gets installed. > [ blah ] > ] > [then my own code below] > [...] > > ## write all localhost output to a debug file > $template Ldebug,"/var/log/debug.log" > if \ > $source == 'logsrv'\ > then -?Ldebug > > ## write all data from remote hosts to: > ## HOSTNAME/HOSTNAME.log for each client > $template RDDF,"/var/log/%hostname%/%hostname%.log" > if \ > $source != 'logsrv' \ > then -?RDDF > [...] > > Note: I used the actual name (logsrv) in the code, since I wasn't sure > which of rsyslogs' variables would contain that info instead of > `localhost' or `0.0.0.0' or `127.0.0.1` ... etc. > > And understand that this rsyslog.conf was being used in an > experimental environment while I familiarized myself with rsyslog. > > The idea was to direct all localhost log output to /var/log/debug.log > (in addition to the more normal defaults in rsyslog.conf not shown > here). > And log data coming from remote clients to /var/log/dynaDIR/dynaFILE > Where DIR and FILE are both named dynamically after the host sending > the log data. > > It worked just like I had hoped. > > But I accidentally found what might be seen as a weakness in rsyslog. > > I'm not experienced enough to really judge something like this. And > not adept enough at reading source code to see what the mechanism is. > > Apparently rsyslog preferred the miss-typed name in /etc/hosts over > the name returned by gethostbyname or the newer getaddrinfo, both > appear to be involved in the source code. > > With the mistaken spelling in /etc/hosts, rsyslog (correctly) saw the > mistaken name inside `$source' as not matching `logsrv' in my code, so > wrote to: > > /var/log/logsvr/logsvr.log > > Once I got the typo fixed, rsyslog wrote all that same stuff to > /var/log/debug.log as expected. > > So it makes me wonder how robust the mechanism for getting the > localhost name is. rsyslog appears to use gethostbyname and the > newer getaddrinfo. > > Further... I'm not sure where cmds like gethostbyname (and similar > ones) get the info either... for all I know they may just grep > /etc/hosts. > > I do know that even while I had the mis-spelled name in /etc/hosts, the > `hostname' command still returned the correct name. So the `hostname' > cmd must rely on something else. > > At any rate, rsyslog apparently turns to grepping the /etc/hosts > file at some point, since in this case the log output was directed to a > directory and file named after the TYPO in /etc/hosts. > > It took me a few minutes to figure out where the bad name was coming > from since the `hostname' cmd returned the correct name (logsrv). > > Some linux distros have a special file that tells the OS what its name > is. > > On my distro (gentoo linux) it's a file at /etc/conf.d/hostname, that > is dedicated to nothing more than giving the host a name. > > On Debian its /etc/hostname > > Other distros I've used have a few different ways of getting that > information into play, but I haven't used any linux distros that > relied on /etc/hosts. > > Is having rsyslog rely on /etc/hosts as the final arbiter about the > host name a good plan? > > ps - two asides: > 1) Any suggestions for better code are welcome > 2) Can anyone tell me what the significance of the question mark > preceding the log file variable name is: > > $template RDDF,"/var/log/%hostname%/%hostname%.log" > if \ > $source != 'logsrv' \ > then -?RDDF > ------ > here > > I know what the dash sinifies but not the question mark. I just > copied what I saw in the examples and it seems to work. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
