Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

david Mon, 06 Feb 2012 11:24:29 -0800

On Mon, 6 Feb 2012, Rainer Gerhards wrote:

-----Original Message-----
From: [email protected] [mailto:rsyslog-
[email protected]] On Behalf Of [email protected]
Sent: Saturday, February 04, 2012 9:27 AM
To: rsyslog-users
Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%


If Rainer creates the instramented version it would still be good to
see
what's going on. I would say that for fromhost-ip to be '???' is always
a
bug, and if a failed DNS lookup makes the fromhost be '???' instead of
the
IP address, I would also consider that a bug.


Yup, I agree here. It's most probably a bug, at least if no message
indicating something malicious goes along with the problem. Rsyslog checks if
it can trust the IP and prefers not to write it if there is proof something
malicious goes on - the ??? then indicate we do not know the actual IP and is
probably the best to be done in that case. See [1], especially the comments,
for details. I have audited the code and do not see anything obviously wrong.
I noticed that there is already a lot of good debug instrumentation present,
so I just added one additional output, which makes it somewhat easier to scan
for failures inside the log file. It also provides the ultimate proof of why
the function indicates failure.

under what condition would we not be able to get the IP address of the farend of the connection?


David Lang

@Michael: You can obtain the new version via the git master branch (let me
know if you have problems obtaining it). Please try it out. We need to see at
least one occurrence of ??? in order to track down what is going on.

It would be good to track down what's actually happening here.

Indeed, especially as this is the prime reason for making separate devel and
stable branches available. ;-)

Rainer
[1]
http://git.adiscon.com/?p=rsyslog.git;a=blob;f=runtime/dnscache.c;h=549bcd932
8d53c4da484ac0c7dbd01c6aa2db415;hb=HEAD#l147


David Lang

  On Sat, 4 Feb 2012, Michael
Maymann wrote:

Hi,

SOLVED...

got it working...:-) !

I enabled debugging (David: thanks for the hint) and this was one of

the

entries:
---
Debug line with all properties:
FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID:

'-',

MSGID: '-',
TIMESTAMP: 'Feb  4 07:29:40', STRUCTURED-DATA: '-',
msg: ' lldp:  PVID mismatch on port C2(VID 1)with peer device port

2(VID

unknown)(769216)'
escaped msg: ' lldp:  PVID mismatch on port C2(VID 1)with peer device

port

2(VID unknown)(769216)'
inputname: imudp rawmsg: '<14> Feb  4 07:29:40 <IP> 00828 lldp:  PVID
mismatch on port C2(VID 1)with peer device port 2(VID

unknown)(769216)'

---
The <IP> from the last line was ofcause the same as in the the

logfiles...

I confuse this to be a client of a rsyslog-client twice... :-o !

I could hereafter easily edit my /etc/rsyslog.conf respectively:
---
#SET PRIVILEGES
$PreserveFQDN on
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>
$DirCreateMode 0750
$FileCreateMode 0640
$UMASK 0027

#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514

#DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in

to

enable...)
#*.info;mail.none;authpriv.none;cron.none
/var/log/messages-debug;RSYSLOG_DebugFormat

#SET DESTINATION FOR LOGS
$template

DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"

$template
DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
$template
DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
$template

DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"

$template
DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
$template
DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
$template

DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"


$template

DYNIPmessages,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message
s"

$template
DYNIPsecure,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure"
$template

DYNIPmaillog,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog"

$template

DYNIPcron,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron"

$template

DYNIPspooler,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler"

$template
DYNIPboot,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log"
$template
DYNIPtraps,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps"

#SET LOGGING CONDITIONS
if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
if $syslogfacility-text == 'authpriv' and $fromhost != '???' then

?DYNsecure

if $syslogfacility-text == 'mail' and $fromhost != '???' then

?DYNmaillog

if $syslogfacility-text == 'cron' and $fromhost != '???' then

?DYNcron

if $syslogseverity-text == 'crit' and $fromhost != '???' then

?DYNspooler

if $syslogfacility-text == 'local7' and $fromhost != '???' then

?DYNboot

if $syslogfacility-text == 'local6' and $syslogseverity-text ==

'WARNING'

and $fromhost != '???' then ?DYNtraps

if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
?DYNIPsecure
if $syslogfacility-text == 'mail' and $fromhost == '???' then

?DYNIPmaillog

if $syslogfacility-text == 'cron' and $fromhost == '???' then

?DYNIPcron

if $syslogseverity-text == 'crit' and $fromhost == '???' then

?DYNIPspooler

if $syslogfacility-text == 'local7' and $fromhost == '???' then

?DYNIPboot

if $syslogfacility-text == 'local6' and $syslogseverity-text ==

'WARNING'

and $fromhost == '???' then ?DYNIPtraps
---

David+Rainer: thanks for your help... much appreciated...:-) !

Br.
~maymann

2012/2/4 <[email protected]>

I was actually meaning for you to do this on the server where you

are

seeing the ??? show up.

but this does show that the sending machine thinks it's doing

everythig

correcty (assuming the <HOSTNAME> you put in the message below is

actually

correct)

what I would want to see from the server log is one of the messages

with

the ??? in it that you are trying to fix.


David Lang

On Fri, 3 Feb 2012, Michael Maymann wrote:

 Hi,


David: thanks for you reply...:-) !

This is not a known client causing the "???" entries - I don't know

the

ip(s)/hostname(s), and this is why i would like to log IP instead

of

hostname - as my guess is it is a network device without DNS

entry...:-( !


Can I troubleshoot on the server somehow similar... or was that the
intention all along...:-o !

Here is the client-debug output anyways...:
# cat messages-debug
Debug line with all properties:
FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:

'<HOSTNAME>',

PRI: 6,
syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',

PROCID:

'-', MSGID: '-',
TIMESTAMP: 'Feb  3 11:14:24', STRUCTURED-DATA: '-',
msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'

Debug line with all properties:
FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:

'<HOSTNAME>',

PRI: 46,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:

'rsyslogd',

PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb  3 11:14:24', STRUCTURED-DATA: '-',
msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
x-info="
http://www.rsyslog.com";] (re)start'
escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-

pid="13432"

x-info="http://www.rsyslog.com**";] (re)start'
rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-

pid="13432"

x-info="http://www.rsyslog.com**";] (re)start'

Debug line with all properties:
FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:

'<HOSTNAME>',

PRI: 13,
syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID:

'-',

MSGID: '-',
TIMESTAMP: 'Feb  3 11:14:30', STRUCTURED-DATA: '-',
msg: ' hej'
escaped msg: ' hej'
rawmsg: '<13>Feb  3 11:14:30 root: hej'


Thanks in advance :-) !
~maymann


2012/2/3 <[email protected]>

 oops, that should have been RSYSLOG_DebugFormat template.


David Lang

On Thu, 2 Feb 2012, [email protected] wrote:

 Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)

From: [email protected]

Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==

%IP%


what does one of these messages look like if you write it out

with the

RSYSLOG_DEBUG template?

David Lang

On Fri, 3 Feb 2012, Michael Maymann wrote:

 Date: Fri, 3 Feb 2012 07:00:26 +0100

From: Michael Maymann <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==

%IP%


Please... Anyone?
On Feb 2, 2012 2:17 PM, "Michael Maymann" <[email protected]>

wrote:

Hi,


got it started... but still ??? dir+logfiles are showing up...
This is now my rsyslog.conf:
#SET PRIVILEGES
$PreserveFQDN on
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>
$DirCreateMode 0750
$FileCreateMode 0640
$UMASK 0027

#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514

#SET DESTINATION FOR LOGS
$template
DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
$MONTH%_messages"
$template DYNsecure,"PATH_TO/%FROMHOST%/**
**%FROMHOST%_%$YEAR%.%$MONTH%_***
*secure"
$template

DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**

_**maillog"
$template DYNcron,"PATH_TO/%FROMHOST%/%***
*FROMHOST%_%$YEAR%.%$MONTH%_**
cron"
$template

DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**

_**spooler"
$template DYNboot,"PATH_TO/%FROMHOST%/%***
*FROMHOST%_%$YEAR%.%$MONTH%_**
boot.log"
$template DYNtraps,"PATH_TO/%FROMHOST%/%**
**FROMHOST%_%$YEAR%.%$MONTH%_****
traps"

$template
DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_messages"
$template
DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_secure"
$template
DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_maillog"
$template
DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-

IP%_%$YEAR%.%$****

MONTH%_cron"
$template
DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_spooler"
$template
DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-

IP%_%$YEAR%.%$****

MONTH%_boot.log"
$template
DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-

IP%_%$YEAR%.%$****

MONTH%_traps"

#SET LOGGING CONDITIONS
if $syslogseverity <= '6' and $fromhost != '???' then

?DYNmessages

if $syslogfacility-text == 'authpriv' and $fromhost != '???'

then

?DYNsecure
if $syslogfacility-text == 'mail' and $fromhost != '???' then
?DYNmaillog
if $syslogfacility-text == 'cron' and $fromhost != '???' then

?DYNcron

if $syslogseverity-text == 'crit' and $fromhost != '???' then
?DYNspooler
if $syslogfacility-text == 'local7' and $fromhost != '???' then
?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text ==
'WARNING'
and $fromhost != '???' then ?DYNtraps

if $syslogseverity <= '6' and $fromhost == '???' then

?DYNIPmessages

if $syslogfacility-text == 'authpriv' and $fromhost == '???'

then

?DYNIPsecure
if $syslogfacility-text == 'mail' and $fromhost == '???' then
?DYNIPmaillog
if $syslogfacility-text == 'cron' and $fromhost == '???' then
?DYNIPcron
if $syslogseverity-text == 'crit' and $fromhost == '???' then
?DYNIPspooler
if $syslogfacility-text == 'local7' and $fromhost == '???' then
?DYNIPboot
if $syslogfacility-text == 'local6' and $syslogseverity-text ==
'WARNING'
and $fromhost == '???' then ?DYNIPtraps

I have tried with $fromhost, $fromhost-ip and $hostname - but

all

creates
??? dir+files...
What variable should I use to handle this properly ?


Thanks in advance :-) !
~maymann

2012/2/2 Michael Maymann <[email protected]>

 Hi,


David: thanks for your reply...
Here is my new rsyslog.conf:
#SET PRIVILEGES
$PreserveFQDN on
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>
$DirCreateMode 0750
$FileCreateMode 0640
$UMASK 0027

#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514

#SET DESTINATION FOR LOGS
$template
DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
$MONTH%_messages"
$template

DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**

**secure"

$template

DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**

maillog"
$template DYNcron,"PATH_TO/%FROMHOST%/%***
*FROMHOST%_%$YEAR%.%$MONTH%_**
cron"
$template

DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**

spooler"
$template

DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_****

boot.log"
$template DYNtraps,"PATH_TO/%FROMHOST%/%**
**FROMHOST%_%$YEAR%.%$MONTH%_*
*traps"

$template
DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_messages"
$template
DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_secure"
$template
DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_maillog"
$template
DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-

IP%_%$YEAR%.%$****

MONTH%_cron"
$template
DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_spooler"
$template
DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-

IP%_%$YEAR%.%$****

MONTH%_boot.log"
$template
DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-

IP%_%$YEAR%.%$****

MONTH%_traps"

#SET LOGGING CONDITIONS
if $syslogseverity <= '6' and %FROMHOST% != '???' then

?DYNmessages

if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???'

then

?DYNsecure
if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
?DYNmaillog
if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
?DYNcron
if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
?DYNspooler
if $syslogfacility-text == 'local7' and %FROMHOST% != '???'

then

?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text

==

'WARNING'
and %FROMHOST% != '???' then ?DYNtraps

if $syslogseverity <= '6' and %FROMHOST% == '???' then

?DYNIPmessages

if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???'

then

?DYNIPsecure
if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
?DYNIPmaillog
if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
?DYNIPcron
if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
?DYNIPspooler
if $syslogfacility-text == 'local7' and %FROMHOST% == '???'

then

?DYNIPboot
if $syslogfacility-text == 'local6' and $syslogseverity-text

==

'WARNING'
and %FROMHOST% == '???' then ?DYNIPtraps

but it fails...:
# service rsyslog start
Starting system logger: rsyslogd: run failed with error -2207

(see

rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what

that

number
means)
                                                         [  OK


my guess is it is my %FROMHOST% == '???' - is this format

correct or

how
is this done...


Thanks in advance :-) !
~maymann


2012/2/1 <[email protected]>

On Wed, 1 Feb 2012, Michael Maymann wrote:

Hi,

I want to log information about hosts that are not logging

with

correct
HOSTNAME.
In my current setup, I get a dir "???" where these host(s)

are

logging
to...

I would like to change this to the hosts IP instead,

something

like:
if %FROMHOST% == '???' then %FROMHOST% == %IP


 rsyslog cannot do what you are asking. It can't assign a

value to

a
property.

what you can do is to setup a different template and then if
%fromhost%
is your special pattern you can log with this different

template.


David Lang
______________________________******_________________
rsyslog mailing list

http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.ad
iscon.net/****mailman/listinfo/rsyslog>

<http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
discon.net/**mailman/listinfo/rsyslog>

<http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
discon.net/mailman/**listinfo/rsyslog>

<htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
scon.net/mailman/listinfo/rsyslog>


 http://www.rsyslog.com/******professional-

services/<http://www.rsyslog.com/****professional-services/>

<http://**www.rsyslog.com/****professional-

services/<http://www.rsyslog.com/**professional-services/>

<http://**www.rsyslog.com/**professional-

**services/<http://www.rsyslog.com/professional-**services/>

<http:**//www.rsyslog.com/**professional-

services/<http://www.rsyslog.com/professional-services/>


  ______________________________****_________________

rsyslog mailing list

http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
con.net/**mailman/listinfo/rsyslog>

<http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
scon.net/mailman/listinfo/rsyslog>

http://www.rsyslog.com/****professional-

services/<http://www.rsyslog.com/**professional-services/>

<http://**www.rsyslog.com/professional-

**services/<http://www.rsyslog.com/professional-services/>


 ______________________________****_________________

rsyslog mailing list

http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
con.net/**mailman/listinfo/rsyslog>

<http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
scon.net/mailman/listinfo/rsyslog>

http://www.rsyslog.com/****professional-

services/<http://www.rsyslog.com/**professional-services/>

<http://**www.rsyslog.com/professional-

**services/<http://www.rsyslog.com/professional-services/>


 ______________________________****_________________

rsyslog mailing list

http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
con.net/**mailman/listinfo/rsyslog>

<http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
scon.net/mailman/listinfo/rsyslog>

http://www.rsyslog.com/****professional-

services/<http://www.rsyslog.com/**professional-services/>

<http://**www.rsyslog.com/professional-

**services/<http://www.rsyslog.com/professional-services/>


 ______________________________**_________________

rsyslog mailing list

http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
n.net/mailman/listinfo/rsyslog>

http://www.rsyslog.com/**professional-

services/<http://www.rsyslog.com/professional-services/>


 ______________________________**_________________

rsyslog mailing list

http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
n.net/mailman/listinfo/rsyslog>

http://www.rsyslog.com/**professional-

services/<http://www.rsyslog.com/professional-services/>

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

Reply via email to