On Fri, 8 Apr 2011, Brano wrote:
Now when looking at this closer, let me ask this.
How can always log for every remote host FROMHOST or FROMHOST-IP? as second
field in the log entry (right aftger time/date)?
...I'm not willing to trust remote hosts that they provide correct
host/shource IP.
fromhost is a name lookup of fromhost-IP, so it's a relativly expensive
thing to get (if you use DNS and can't find a name it can cripple your
logging for example)
if you want to change the log format from the default, just define a new
template and use that template in the rsyslog.conf (similar to how you
used RSYSLOG_DebugFormat for testing)
the built-in formats are a bit faster (you get ~10% better peak
performance from them than with an equivalent format defined in the config
file), but unless you are pushing the limit, you should not have a problem
note that if you are relaying messages, you only want the first machine to
use fromhost-ip, everything after that should use hostname or they will
show the relay box IPs instead of the source box IPs)
David Lang
Thank you,
Brano
On 04/08/2011 12:31 PM, Brano wrote:
Here is one debug line.
Is there a way to log FROMHOST? that's what I'm missing.
Debug line with all properties:
FROMHOST: 'usg200', fromhost-ip: '192.168.10.1', HOSTNAME: 'domain.com',
PRI: 181,
syslogtag 'src="74.208.229.54:', programname: 'src="74.208.229.54',
APP-NAME: 'src="74.208.229.54', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Apr 8 12:22:32', STRUCTURED-DATA: '-',
msg: '0" dst="76.10.x.x:0" msg="priority:12, from WAN to ZyWALL, ICMP
Type:8, service PING, ICMP Type:8, ACCEPT" note="ACCESS FORWARD"
user="unknown" devID="0019cb7273a4" cat="Firewall" class="Access Control"
ob="0" ob_mac="000000000000" dir="WAN:ZyWALL" protoID=1 proto="PING"'
escaped msg: '0" dst="76.10.x.x:0" msg="priority:12, from WAN to ZyWALL,
ICMP Type:8, service PING, ICMP Type:8, ACCEPT" note="ACCESS FORWARD"
user="unknown" devID="0019cb7273a4" cat="Firewall" class="Access Control"
ob="0" ob_mac="000000000000" dir="WAN:ZyWALL" protoID=1 proto="PING"'
rawmsg: '<181>Apr 8 12:22:32 domain.com src="74.208.229.54:0"
dst="76.10.x.x:0" msg="priority:12, from WAN to ZyWALL, ICMP Type:8,
service PING, ICMP Type:8, ACCEPT" note="ACCESS FORWARD" user="unknown"
devID="0019cb7273a4" cat="Firewall" class="Access Control" ob="0"
ob_mac="000000000000" dir="WAN:ZyWALL" protoID=1 proto="PING"'
On 04/08/2011 01:34 AM, Rainer Gerhards wrote:
I think the incoming message is illformed. For background, read this:
http://www.rsyslog.com/doc/syslog_parsing.html
You can create a file via
*.* /path/to/file;RSYSLOG_DebugFormat
And post the rawmsg output. Then we can probably suggest a solution. But,
as
said in the paper, the proper solutions are to configure the device to
emit
correct messages or create a custom parser if that's not possible.
Rainer
-----Original Message-----
From: [email protected] [mailto:rsyslog-
[email protected]] On Behalf Of Brano
Sent: Friday, April 08, 2011 4:39 AM
To: [email protected]
Subject: [rsyslog] Hostname missing from logs
I've recently switched from syslogd to rsyslogd on CentOS 5.5 due to
need of granular network logging.
However, I've noticed one issue with my remote log.
I'm logging from remote host called usg200 (defined in local hostfile).
It is ZyXel USG200 router.
With syslogd the messages in log were like this one
Apr 3 21:27:43 *usg200* domain.com src="76.10.x.x:500"
dst="76.10.x.x:500" msg="The cookie pair is : 0x6f28d9b0e98a895a /
0x3bfec
fd059520966" note="IKE_LOG" user="unknown" devID="0019cb7273a4"
cat="IKE"
With rsyslog the messages are like this
Apr 6 14:21:04 domain.com src="76.10.x.x: 500" dst="76.10.x.x:500"
msg="Recv:[HASH][NOTFY:R_U_THERE]" note="IKE_LOG" user="unknown"
devID="0019cb7273a4" cat="IKE"
Notice the usg200 hostname in rsyslog just after date is missing. I
need
to get it back. Any advice highly appreciated.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
