On Tue, 14 Feb 2012, Michael Maymann wrote:
I am not behind NAT..., and some hosts (also RHEL5) from same VLAN is
logging their hostname just fine...
If this is taken from the IP-header, all syslog-messages (weither it be
legacy or rsyslog) will report its actual IP in a non-NAT'ed environment.
So this situation wouldn't be possible neither if it is legacy syslog or
rsyslog - am I right ?
yes, fromhost-ip is taken from the IP header, so it should record the IP
of any remote machine.
If it's not doing so it's a bug.
David Lang
Rainer: Are you able to see, from the last debug output I send you, what is
happening (think I also send you the hostname/ip of "the problem host"
directly) ?
Br.
~maymann
2012/2/13 Rainer Gerhards <[email protected]>
-----Original Message-----
From: Michael Maymann [mailto:[email protected]]
Sent: Monday, February 13, 2012 1:25 PM
To: Rainer Gerhards
Cc: rsyslog-users
Subject: Re: rsyslog tarball
Hi,
Rainer: thanks - the fix you send me seems to work...:-) at-least on
hosts sending its IP... - unfortunately not all legacy syslog clients
do..:-( !
I tried to restart syslog again on the host that caused "???" before,
but I am still unable to find either IP or hostname in the log...
is FROMHOST based on:
1. dns-lookup of the IP inside the transmitted IP-packet ?
or
2. dns-lookup of what it states as its IP/hostname inside syslog-
message ?
Neither. It's just the remote peer (taken from the IP header). It's not
taken
from a syslog header field. If you use DNS reverse resolution, it's the
name,
else the IP address.
I would prefer 1., as this would always be right - expect if your in a
NAT'ed environment...
Preferably NAT could be auto-detected (could it be: if traffic is
coming from syslog-server LAN or syslog-server default-GW then the
client is not NAT'ed ?) or alternatively IPPacketIP/IPPacketFromHost
(nslookup of IPPacketIP) variables could be added and used if it fits
ones environment... ?
The best route is to make sure all syslogd'd emit proper RFC3164 or RFC5424
format and simply use HOSTNAME. (you may also look at [1] for NAT and
non-rsyslog).
Rainer
[1] http://www.rsyslog.com/article19/
Br.
~maymann
2012/2/7 Rainer Gerhards <[email protected]>
That's a regular log file [in RSYSLOG_DebugForm], showing the log
messages as
you received them. That's not a debug log that shows rsyslog
processing. To
create the later, do the same procedure that you used to create
the content
of your mail I received at 8:43am today. *That* was a debug log.
Look at the
content of both of your mails and you will immediately notice the
difference.
Please also keep the mailing list CCed...
Rainer
> -----Original Message-----
> From: Michael Maymann [mailto:[email protected]]
> Sent: Tuesday, February 07, 2012 10:28 AM
> To: Rainer Gerhards
> Subject: Re: rsyslog tarball
>
> it states "Debug line with all properties:" all over the
logfile...
> Please tell me how to run this thing...?
>
> ~maymann
>
>
>
> 2012/2/7 Rainer Gerhards <[email protected]>
>
>
> I guess you mistook files: this was not a debug log but a
logfile
> ;)
>
> rainer
>
>
> > -----Original Message-----
> > From: Michael Maymann [mailto:[email protected]]
>
> > Sent: Tuesday, February 07, 2012 10:22 AM
> > To: Rainer Gerhards
> > Cc: [email protected]; rsyslog-users
> > Subject: Re: rsyslog tarball
> >
> > Just made a shorter run with same info inside...
attached...
> >
> > ~maymann
> >
> >
> > 2012/2/7 Rainer Gerhards <[email protected]>
> >
> >
> > > -----Original Message-----
> > > From: Michael Maymann
[mailto:[email protected]]
> >
> > > Sent: Tuesday, February 07, 2012 9:46 AM
> > > To: Rainer Gerhards
> > > Cc: [email protected]; rsyslog-users
> > > Subject: Re: rsyslog tarball
> > >
> > > Hi Rainer,
> > >
> > > it is 30Mb - please provide ftp-upload...
> >
> > Zipped or plain? If not zipped, you can probably
compress
> it by
> > 90+%. Anyhow,
> > the FTP server is
> >
> > ftp://custservice.adiscon.com/incoming
> >
> > user anonymous, password whatever you like
> > Note that you can only upload, NOT read. Most
> importantly, you
> > won't be able
> > to see the file when the upload is done.
> >
> > If you can compress and mail the file, I can
possibly
> faster
> > access it, just
> > if that's an option.
> >
> > Thanks!
> > Rainer
> >
> >
> > >
> > > br.
> > > ~maymann
> > >
> > >
> > > 2012/2/7 Rainer Gerhards
<[email protected]>
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Michael Maymann
> [mailto:[email protected]]
> > > > Sent: Tuesday, February 07, 2012 8:43
AM
> > > > To: Rainer Gerhards; [email protected]
> > > > Subject: Re: rsyslog tarball
> > > >
> > > > [root@oulog001 log]# /usr/sbin/rsyslogd
-c 6 -d
> > > >
> > > > 9788.497831529:7f639a331700: rsyslogd
6.3.7-
> postexp1
> > startup,
> > > > compatibility mode 6, module path '',
> cwd:/var/log
> > > > 9788.497969104:7f639a331700: caller
requested
> object
> > 'net', not
> > > found
> > >
> > > [snip]
> > >
> > > Sorry, this debug info does not contain
any of
> the
> > > instrumentation I need (no
> > > case occurred) I guess you have cut that
off.
> Please send
> > me a
> > > complete file,
> > > best as an attachment (working with saved
mail
> messages
> > is far
> > > less nice :)).
> > >
> > > If the debug log is too large to mail,
please let
> me
> > know. I can
> > > provide an
> > > anonymous upload-only ftp server in that
case.
> > >
> > > Thanks!
> > > Rainer
> > >
> > >
> >
> >
> >
>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
