look at /etc/hosts on the client. see if you have the short name or long
name listed first.
If you have the short name listed first, try switching it to long name
first. (when looking something up in /etc/hosts by IP, you get the first
name on the list)
If this doesn't work, then what I suspect is happening is that the sending
system is putting just it's hostname in the logs when it sends. some
distros let you put a FQDN in the /etc/hostnames file without problems. If
your distro lets you do this, try doing that and see if this then changes
what's getting logged by rsyslog.
The third thing you can try is on the server, change it from using the
default template that logs %HOSTNAME%, which is the name the client puts
in the log to %FROMHOST%, which is the name (looked up from the IP) of the
machine that sent the log packet to the receiving rsyslog
David Lang
On Mon, 17 Jan 2011, Joe McDonagh wrote:
Date: Mon, 17 Jan 2011 01:49:58 -0500
From: Joe McDonagh <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: [email protected]
Subject: [rsyslog] Cannot for the life of me get preservefqdn to work
Right now I currently have compatibility with version 1 on, and I am thinking
I will build a package for older nodes for version 4, mainly because I really
need fqdns. Unfortunately when I do a test between two version 4 systems,
fqdn still doesn't work. Here's some info:
root@syslog:/var/log/hosts/puppet# ps aux | grep rsyslogd | grep -v grep
root 20601 0.0 0.0 29568 1296 ? S 22:26 0:00 rsyslogd -c4
-m 0 -t61514 -x -r514
root@puppet:~# ps aux | grep rsyslog
root 30755 0.0 0.0 45844 1284 ? Sl 22:42 0:00 rsyslogd -c1
-m 0
Now I am not clear if I need PreserveFQDN on both the node and server, so I
set it on both for kicks. Here is the node config:
# /etc/rsyslog.conf Configuration file for rsyslogd.
#
# For more information see
# /usr/share/doc/rsyslog/html/rsyslog_conf.html
#
# First some standard logfiles. Log by facility.
#
$PreserveFQDN on
auth,authpriv.* /var/log/auth.log
*.*;auth.none;authpriv.none;mail.none;cron.none,daemon.none
-/var/log/syslog
cron.* /dev/null
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron.none;daemon.none;\
mail.none,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/
And here is the contents of the files in the .d conf dir:
root@puppet:/var/log# cat /etc/rsyslog.d/*
# Log kernel generated UFW log messages to file
:msg,contains,"[UFW " /var/log/ufw.log
# Uncomment the following to stop logging anything that matches the last
rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
#& ~
*.*,cron.none @@127.0.0.1:61514
Here is the server config:
# Config file for splitting up logs by hostname and related syslog server
# configs
# Show FQDNs
$PreserveFQDN on
# Discard collectd stuff
if $syslogtag contains 'collectd' then ~
# Discard cron stuff
if $syslogtag contains 'CRON' then ~
# Custom log files first since we may discard things like apache2 messages
# later on down.
# Aggregate of corporate website logs
$template DYNcorpsite, "/var/log/custom/corpsite_apache2.log"
if $source != 'localhost' \
and $HOSTNAME startswith 'www' \
and $syslogtag contains 'apache2' \
then ?DYNcorpsite
if $source != 'localhost' \
and $HOSTNAME contains 'updates' \
and $syslogfacility-text == 'r7license_server' \
then ?DYNr7license_servers
# Aggregate of smtp gateway logs
$template DYNsmtp_gateways, "/var/log/custom/smtp_gateways.log"
if $source != 'localhost' \
and $HOSTNAME startswith 'smtp' \
and $syslogfacility-text == 'mail' \
then ?DYNsmtp_gateways
# List of log files without loglevel separation
$template DYNapache2, "/var/log/hosts/%HOSTNAME%/apache2.log"
$template DYNauth_all, "/var/log/hosts/%HOSTNAME%/auth.log"
$template DYNcron_all, "/var/log/hosts/%HOSTNAME%/cron.log"
$template DYNdaemon_all, "/var/log/hosts/%HOSTNAME%/daemon.log"
$template DYNdhcpd, "/var/log/hosts/%HOSTNAME%/dhcpd.log"
$template DYNkern_all, "/var/log/hosts/%HOSTNAME%/kern.log"
$template DYNlpr_all, "/var/log/hosts/%HOSTNAME%/lpr.log"
$template DYNmail_all, "/var/log/hosts/%HOSTNAME%/mail.log"
$template DYNnamed, "/var/log/hosts/%HOSTNAME%/named.log"
$template DYNsshd, "/var/log/hosts/%HOSTNAME%/sshd.log"
$template DYNsyslog_all, "/var/log/hosts/%HOSTNAME%/syslog"
$template DYNuser_all, "/var/log/hosts/%HOSTNAME%/user.log"
# First separate interesting tags then discard to lower
# duplication
if $source != 'localhost' \
and $syslogtag contains 'apache2' \
then ?DYNapache2
if $syslogtag contains 'apache2' then ~
if $source != 'localhost' \
and $syslogtag contains 'dhcpd' \
then ?DYNdhcpd
if $syslogtag contains 'dhcpd' then ~
if $source != 'localhost' \
and $syslogtag contains 'named' \
then ?DYNnamed
if $syslogtag contains 'named' then ~
# Here are regular facility-based separating
if $source != 'localhost' \
and ( \
$syslogfacility-text == 'auth' \
or $syslogfacility-text == 'authpriv' \
) \
then ?DYNauth_all
if $source != 'localhost' \
and $syslogfacility-text == 'cron' \
then ?DYNcron_all
if $source != 'localhost' \
and $syslogfacility-text == 'daemon' \
then ?DYNdaemon_all
if $source != 'localhost' \
and $syslogfacility-text == 'kern' \
then ?DYNkern_all
if $source != 'localhost' \
and $syslogfacility-text == 'lpr' \
then ?DYNlpr_all
if $source != 'localhost' \
and $syslogfacility-text == 'mail' \
then ?DYNmail_all
if $source != 'localhost' \
and $syslogtag contains 'sshd' \
then ?DYNsshd
if $source != 'localhost' \
and $syslogfacility-text != 'authpriv' \
then ?DYNsyslog_all
if $source != 'localhost' \
and $syslogfacility-text == 'user' \
then ?DYNuser_all
# Logging for the mail system.
$template DYNmail_info, "/var/log/hosts/%HOSTNAME%/mail.info"
$template DYNmail_warn, "/var/log/hosts/%HOSTNAME%/mail.warn"
$template DYNmail_err, "/var/log/hosts/%HOSTNAME%/mail.err"
if $source != 'localhost' \
and ( \
$syslogfacility-text == 'mail' \
and $syslogseverity-text == 'info' \
) \
then ?DYNmail_info
if $source != 'localhost' \
and ( \
$syslogfacility-text == 'mail' \
and $syslogseverity-text == 'warn' \
) \
then ?DYNmail_warn
if $source != 'localhost' \
and ( \
$syslogfacility-text == 'mail' \
and $syslogseverity-text == 'err' \
) \
then ?DYNmail_err
# Catch-all log files
$template DYNdebug, "/var/log/hosts/%HOSTNAME%/debug"
$template DYNmessages, "/var/log/hosts/%HOSTNAME%/messages"
if $source != 'localhost' \
and $syslogseverity-text == 'debug' \
then ?DYNdebug
if $source != 'localhost' \
and ( \
$syslogseverity-text == 'info' \
or $syslogseverity-text == 'notice' \
or $syslogseverity-text == 'warn' \
) \
and ( \
$syslogfacility-text != 'auth' \
or $syslogfacility-text != 'authpriv' \
or $syslogfacility-text != 'cron' \
or $syslogfacility-text != 'daemon' \
or $syslogfacility-text != 'mail' \
or $syslogfacility-text != 'news' \
) \
then ?DYNmessages
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/
------
I can't figure this out. The messages still only show the short hostname in
both the node and server logs. Any ideas?
--
Joe McDonagh
Operations Engineer
AIM: YoosingYoonickz
IRC: joe-mac on freenode
"When the going gets weird, the weird turn pro."
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
