Thanks pointers guys, I figured out that log4j doesn't set the syslog headers by default and haproxy doesn't set them at all. I assume they expect them to be relayed.
-Joe On Nov 17, 2010, at 12:47 AM, Rainer Gerhards wrote: > And if nothing else helps, you can use the property replacer to e.g. use a > regexp to dig out the part that you are interested in. > > Rainer > >> -----Original Message----- >> From: [email protected] [mailto:rsyslog- >> [email protected]] On Behalf Of [email protected] >> Sent: Tuesday, November 16, 2010 11:39 PM >> To: rsyslog-users >> Subject: Re: [rsyslog] hostnames >> >> On Tue, 16 Nov 2010, Joe Williams wrote: >> >>> List, >>> >>> I am trying to standardize the hostnames that we see in our logs. It >> seems that the services (haproxy, etc) that log directly to the rsyslog >> server do this differently. Here's an example: >>> >>> ./ec2-<snip>.us-west-1.compute.amazonaws.com/haproxy >>> ./domu-<snip>/haproxy >>> ./domu-<snip>/haproxy >>> ./domu-<snip>/haproxy >>> ./ip-<snip>.ec2.internal/haproxy >>> >>> All the standard logs (user.log, syslog, messages, etc) all use a >> standard format like: >>> >>> ./domu-<snip>/syslog >>> ./ip-<snip>/syslog >>> >>> As you see like in the case of ip-<snip>, ".ec2.internal" gets >> appended on with haproxy. In the case of ec2-<snip>.us-west- >> 1.compute.amazonaws.com is actually coming from a host with a hostname >> like ip-<snip>. Hopefully this makes sense. >>> >>> Across the board I am using %hostname:::lowercase% to create the >> directories. As a test to see what the application sees vs rsyslog we >> added code to log the hostname in one of our applications: >>> >>> ec2-<snip>.us-west-1.compute.amazonaws.com/ellison:Nov 16 20:34:22 >> ec2-<snip>.us-west-1.compute.amazonaws.com local3: 2010-11-16 >> 20:34:22,123 INFO [main] ejje.Ejje - Address ip-<snip> >>> >>> As you can see rsyslog is logging this with the "ec2-" style hostname >> but what the application is seeing for the hostname is the "ip-" style. >>> >>> Interestingly the hostname style that rsyslog sees seems to depend on >> what EC2 availability zone the node is in. "ec2-" hostnames are only in >> the us-west-1 and ap-southeast-1 zones, "ip-*.ec2.internal" and "domu- >> *" hostnames in us-east-1. So I think this would suggest something >> with DNS configurations in different zones. Additionally the "ec2-" >> style hostnames are actually public hostnames that aren't assigned to >> the machines but to a MIP or VIP, which again suggests some sort of DNS >> lookup. >>> >>> I have tried using %fromhost% with the same results. Any thoughts on >> what might be going on and how to fix it? >> >> fromhost is the DNS lookup of the IP address of the machine that last >> touched the logs. >> >> if the sending host set hostname in it's logs, then hostname is that >> value. >> >> If the sending host did not put something that looks like a hostname in >> the log messages, the first instance of rsyslog that receives the >> message >> fills the hostname field with fromhost. >> >> it sounds as if your sending systems are not setting the hostname in >> the >> logs, so rsyslog is filling in the fromhost. >> >> If you setup /etc/hosts entries for the IP addresses of these machines >> with a short name first, I believe that rsyslog will use that as the >> result of the name lookup. >> >> The better option is to go to the sending machines and figure out why >> they >> aren't putting hostname in their outbound logs. >> >> David Lang >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com Name: Joseph A. Williams Email: [email protected] Blog: http://www.joeandmotorboat.com/ Twitter: http://twitter.com/williamsjoe _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
