Re: [rsyslog] Hostname missing from logs

Fri, 08 Apr 2011 09:31:29 -0700 

Here is one debug line.

Is there a way to log FROMHOST? that's what I'm missing.

Debug line with all properties:
FROMHOST: 'usg200', fromhost-ip: '192.168.10.1', HOSTNAME: 'domain.com', PRI: 181, syslogtag 'src="74.208.229.54:', programname: 'src="74.208.229.54', APP-NAME: 'src="74.208.229.54', PROCID: '-', MSGID: '-', 
TIMESTAMP: 'Apr  8 12:22:32', STRUCTURED-DATA: '-',
msg: '0" dst="76.10.x.x:0" msg="priority:12, from WAN to ZyWALL, ICMP Type:8, service PING, ICMP Type:8, ACCEPT" note="ACCESS FORWARD" user="unknown" devID="0019cb7273a4" cat="Firewall" class="Access Control" ob="0" ob_mac="000000000000" dir="WAN:ZyWALL" protoID=1 proto="PING"' escaped msg: '0" dst="76.10.x.x:0" msg="priority:12, from WAN to ZyWALL, ICMP Type:8, service PING, ICMP Type:8, ACCEPT" note="ACCESS FORWARD" user="unknown" devID="0019cb7273a4" cat="Firewall" class="Access Control" ob="0" ob_mac="000000000000" dir="WAN:ZyWALL" protoID=1 proto="PING"' rawmsg: '<181>Apr 8 12:22:32 domain.com src="74.208.229.54:0" dst="76.10.x.x:0" msg="priority:12, from WAN to ZyWALL, ICMP Type:8, service PING, ICMP Type:8, ACCEPT" note="ACCESS FORWARD" user="unknown" devID="0019cb7273a4" cat="Firewall" class="Access Control" ob="0" ob_mac="000000000000" dir="WAN:ZyWALL" protoID=1 proto="PING"' 


On 04/08/2011 01:34 AM, Rainer Gerhards wrote:

I think the incoming message is illformed. For background, read this:

http://www.rsyslog.com/doc/syslog_parsing.html

You can create a file via

*.* /path/to/file;RSYSLOG_DebugFormat

And post the rawmsg output. Then we can probably suggest a solution. But, as
said in the paper, the proper solutions are to configure the device to emit
correct messages or create a custom parser if that's not possible.

Rainer


-----Original Message-----
From: [email protected] [mailto:rsyslog-
[email protected]] On Behalf Of Brano
Sent: Friday, April 08, 2011 4:39 AM
To: [email protected]
Subject: [rsyslog] Hostname missing from logs

I've recently switched from syslogd to rsyslogd on CentOS 5.5 due to
need of granular network logging.
However, I've noticed one issue with my remote log.

I'm logging from remote host called usg200 (defined in local hostfile).
It is ZyXel USG200 router.

With syslogd the messages in log were like this one
Apr  3 21:27:43 *usg200* domain.com src="76.10.x.x:500"
dst="76.10.x.x:500" msg="The cookie pair is : 0x6f28d9b0e98a895a /
0x3bfec
fd059520966" note="IKE_LOG" user="unknown" devID="0019cb7273a4"
cat="IKE"

With rsyslog the messages are like this
Apr  6 14:21:04 domain.com src="76.10.x.x: 500" dst="76.10.x.x:500"
msg="Recv:[HASH][NOTFY:R_U_THERE]" note="IKE_LOG" user="unknown"
devID="0019cb7273a4" cat="IKE"

Notice the usg200 hostname in rsyslog just after date is missing. I
need
to get it back. Any advice highly appreciated.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Reply via email to