My first question would be if the logs have the FQDN in them in the first place.
you may want to create a log with the format %raw% and see what is arriving to your box. David Lang On Fri, 26 Mar 2010, Pablo Martinez Schroder wrote: > Hi, > > I'm using rsyslog-5.4.0 and I having a issue that I cannot understand. I > want to implement a central logging server using stunnel, and I need to > use FQDN always, I don't want to have HOSTNAME trunked to the hostname so > I enable $PreserveFQDN but only some of the messages seems to use the > whole hostname. I've seen this issue in multiple versions of rsyslog, so > I'm quite sure is not caused by rsyslog-5.4.0 > > I've tested on multiples versions of CentOS and currently I'm testing > rsyslog-5.4.0 on a CentOS 5.4. To to the tests I'm logging all the > messages in a local file, so the interesting part of my /etc/rsyslog.conf > is like this: > > $ModLoad immark # provides --MARK-- message capability > $ModLoad imuxsock # provides support for local system logging (e.g. via > logger command) > $ModLoad imklog # kernel logging (formerly provided by rklogd) > > $PreserveFQDN on > > *.* /var/log/everything.log > > I start rsyslogd with the "-c 4" option, and if I enable $PreserveFQDN in > the conf messages from kernel and rsyslogd are saved with the proper FQDN > but the rest of the messages are stored as if they were originated from > the hostname, without domain. > > # tail /var/log/everything.log > 010-03-26T07:51:29.513679-04:00 syslog-test.scrambled.com kernel: imklog > 5.4.0, log source = /proc/kmsg started. > 2010-03-26T07:51:29.684129-04:00 syslog-test.scrambled.com rsyslogd: > [origin software="rsyslogd" swVersion="5.4.0" x-pid="1977" > x-info="http://www.rsyslog.com";] start > 2010-03-26T07:51:29.707163-04:00 syslog-test stunnel: > LOG5[1508:1099114816]: ssyslog connected from 127.0.0.1:35446 > 2010-03-26T07:51:30.610043-04:00 syslog-test.scrambled.com kernel: Kernel > logging (proc) stopped. > 2010-03-26T07:51:30.610519-04:00 syslog-test.scrambled.com rsyslogd: > [origin software="rsyslogd" swVersion="5.4.0" x-pid="1977" > x-info="http://www.rsyslog.com";] exiting on signal 2. > > In this case, the only one using "syslog-test" (without the > ".scrambled.com" part is stunnel, but all the logs generated from sshd, > pam, cron, etc are generated from "syslog-test" instead of > "syslog-test.scrambled.com". > > I only have localhost in the hosts file and if I run hostname I get > "syslog-test.scrambled.com". I even rebooted the server after changing > $PreserveFQDN, just in case it was some weird thing of applications > 'caching' the simple hostname (it doesn't make sense, I know). Is there > anything that I'm doing wrong? Is it possible for rsyslog to use the FQDN > for all the logs? > > I believe that I need that the FQDN is used locally for it to work with a > remote server (so the HOSTNAME variabvle in the template has the FQDN) > > Many thanks in advance. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
