Hi, I am not behind NAT..., and some hosts (also RHEL5) from same VLAN is logging their hostname just fine... If this is taken from the IP-header, all syslog-messages (weither it be legacy or rsyslog) will report its actual IP in a non-NAT'ed environment. So this situation wouldn't be possible neither if it is legacy syslog or rsyslog - am I right ?
Rainer: Are you able to see, from the last debug output I send you, what is happening (think I also send you the hostname/ip of "the problem host" directly) ? Br. ~maymann 2012/2/13 Rainer Gerhards <[email protected]> > > > -----Original Message----- > > From: Michael Maymann [mailto:[email protected]] > > Sent: Monday, February 13, 2012 1:25 PM > > To: Rainer Gerhards > > Cc: rsyslog-users > > Subject: Re: rsyslog tarball > > > > Hi, > > > > Rainer: thanks - the fix you send me seems to work...:-) at-least on > > hosts sending its IP... - unfortunately not all legacy syslog clients > > do..:-( ! > > > > I tried to restart syslog again on the host that caused "???" before, > > but I am still unable to find either IP or hostname in the log... > > > > > > is FROMHOST based on: > > 1. dns-lookup of the IP inside the transmitted IP-packet ? > > > > or > > 2. dns-lookup of what it states as its IP/hostname inside syslog- > > message ? > > > > Neither. It's just the remote peer (taken from the IP header). It's not > taken > from a syslog header field. If you use DNS reverse resolution, it's the > name, > else the IP address. > > > > > I would prefer 1., as this would always be right - expect if your in a > > NAT'ed environment... > > Preferably NAT could be auto-detected (could it be: if traffic is > > coming from syslog-server LAN or syslog-server default-GW then the > > client is not NAT'ed ?) or alternatively IPPacketIP/IPPacketFromHost > > (nslookup of IPPacketIP) variables could be added and used if it fits > > ones environment... ? > > The best route is to make sure all syslogd'd emit proper RFC3164 or RFC5424 > format and simply use HOSTNAME. (you may also look at [1] for NAT and > non-rsyslog). > > Rainer > [1] http://www.rsyslog.com/article19/ > > > > > > Br. > > ~maymann > > > > > > 2012/2/7 Rainer Gerhards <[email protected]> > > > > > > That's a regular log file [in RSYSLOG_DebugForm], showing the log > > messages as > > you received them. That's not a debug log that shows rsyslog > > processing. To > > create the later, do the same procedure that you used to create > > the content > > of your mail I received at 8:43am today. *That* was a debug log. > > Look at the > > content of both of your mails and you will immediately notice the > > difference. > > > > Please also keep the mailing list CCed... > > > > > > Rainer > > > > > -----Original Message----- > > > From: Michael Maymann [mailto:[email protected]] > > > > > Sent: Tuesday, February 07, 2012 10:28 AM > > > To: Rainer Gerhards > > > Subject: Re: rsyslog tarball > > > > > > it states "Debug line with all properties:" all over the > > logfile... > > > Please tell me how to run this thing...? > > > > > > ~maymann > > > > > > > > > > > > 2012/2/7 Rainer Gerhards <[email protected]> > > > > > > > > > I guess you mistook files: this was not a debug log but a > > logfile > > > ;) > > > > > > rainer > > > > > > > > > > -----Original Message----- > > > > From: Michael Maymann [mailto:[email protected]] > > > > > > > Sent: Tuesday, February 07, 2012 10:22 AM > > > > To: Rainer Gerhards > > > > Cc: [email protected]; rsyslog-users > > > > Subject: Re: rsyslog tarball > > > > > > > > Just made a shorter run with same info inside... > > attached... > > > > > > > > ~maymann > > > > > > > > > > > > 2012/2/7 Rainer Gerhards <[email protected]> > > > > > > > > > > > > > -----Original Message----- > > > > > From: Michael Maymann > > [mailto:[email protected]] > > > > > > > > > Sent: Tuesday, February 07, 2012 9:46 AM > > > > > To: Rainer Gerhards > > > > > Cc: [email protected]; rsyslog-users > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > Hi Rainer, > > > > > > > > > > it is 30Mb - please provide ftp-upload... > > > > > > > > Zipped or plain? If not zipped, you can probably > > compress > > > it by > > > > 90+%. Anyhow, > > > > the FTP server is > > > > > > > > ftp://custservice.adiscon.com/incoming > > > > > > > > user anonymous, password whatever you like > > > > Note that you can only upload, NOT read. Most > > > importantly, you > > > > won't be able > > > > to see the file when the upload is done. > > > > > > > > If you can compress and mail the file, I can > > possibly > > > faster > > > > access it, just > > > > if that's an option. > > > > > > > > Thanks! > > > > Rainer > > > > > > > > > > > > > > > > > > br. > > > > > ~maymann > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > <[email protected]> > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Michael Maymann > > > [mailto:[email protected]] > > > > > > Sent: Tuesday, February 07, 2012 8:43 > > AM > > > > > > To: Rainer Gerhards; [email protected] > > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > > > [root@oulog001 log]# /usr/sbin/rsyslogd > > -c 6 -d > > > > > > > > > > > > 9788.497831529:7f639a331700: rsyslogd > > 6.3.7- > > > postexp1 > > > > startup, > > > > > > compatibility mode 6, module path '', > > > cwd:/var/log > > > > > > 9788.497969104:7f639a331700: caller > > requested > > > object > > > > 'net', not > > > > > found > > > > > > > > > > [snip] > > > > > > > > > > Sorry, this debug info does not contain > > any of > > > the > > > > > instrumentation I need (no > > > > > case occurred) I guess you have cut that > > off. > > > Please send > > > > me a > > > > > complete file, > > > > > best as an attachment (working with saved > > mail > > > messages > > > > is far > > > > > less nice :)). > > > > > > > > > > If the debug log is too large to mail, > > please let > > > me > > > > know. I can > > > > > provide an > > > > > anonymous upload-only ftp server in that > > case. > > > > > > > > > > Thanks! > > > > > Rainer > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/
