Hi, Rainer: send you the new debug log outside list. Please let me know if I can do anything more to solve this.
Thanks in advance :-) ! ~maymann 2012/2/14 Rainer Gerhards <[email protected]> > > -----Original Message----- > > From: Michael Maymann [mailto:[email protected]] > > Sent: Tuesday, February 14, 2012 10:10 AM > > To: Rainer Gerhards > > Cc: rsyslog-users > > Subject: Re: rsyslog tarball > > > > Hi, > > > > David: thanks. > > Rainer: I will try to install a new rsyslog server with the latest > > package you send me. Point my troublesome host to that server and send > > you the debug log from there... > > Thx, that would be great. We have a great opportunity here to finally iron > out the cache code :) > > Rainer > > > > Br. > > ~maymann > > > > > > 2012/2/14 Rainer Gerhards <[email protected]> > > > > > > > I am not behind NAT..., and some hosts (also RHEL5) from same > > VLAN is > > > logging their hostname just fine... > > > If this is taken from the IP-header, all syslog-messages > > (weither it be > > > legacy or rsyslog) will report its actual IP in a non-NAT'ed > > > environment. So this situation wouldn't be possible neither if > > it is > > > legacy syslog or rsyslog - am I right ? > > > > > > Rainer: Are you able to see, from the last debug output I send > > you, > > > what is happening (think I also send you the hostname/ip of > > "the > > > problem host" directly) ? > > > > > > I think I didn't get a debug log that shows this problem. At > > least I have > > none in my mail archive. > > > > In any case, in order to track this down quickly, I need a debug > > log where > > the vast majority of traffic is from a system that doesn't appear > > to be > > right. So that I can see which receive is from that system and > > how it is > > processed. It is much harder to try to analyze this is there are > > several > > hosts and I don't know what to look at. Note that I am off to the > > Fedora > > Developer Conference tomorrow and busy there for the rest of the > > week. > > > > Rainer > > > > > > > > > > > Br. > > > ~maymann > > > > > > > > > 2012/2/13 Rainer Gerhards <[email protected]> > > > > > > > > > > > > > -----Original Message----- > > > > From: Michael Maymann [mailto:[email protected]] > > > > > > > Sent: Monday, February 13, 2012 1:25 PM > > > > To: Rainer Gerhards > > > > Cc: rsyslog-users > > > > Subject: Re: rsyslog tarball > > > > > > > > > > > Hi, > > > > > > > > Rainer: thanks - the fix you send me seems to work...:- > > ) at- > > > least on > > > > hosts sending its IP... - unfortunately not all legacy > > syslog > > > clients > > > > do..:-( ! > > > > > > > > I tried to restart syslog again on the host that caused > > "???" > > > before, > > > > but I am still unable to find either IP or hostname in > > the > > > log... > > > > > > > > > > > > is FROMHOST based on: > > > > 1. dns-lookup of the IP inside the transmitted IP- > > packet ? > > > > > > > > or > > > > 2. dns-lookup of what it states as its IP/hostname > > inside > > > syslog- > > > > message ? > > > > > > > > > > > > > Neither. It's just the remote peer (taken from the IP > > header). > > > It's not taken > > > from a syslog header field. If you use DNS reverse > > resolution, > > > it's the name, > > > else the IP address. > > > > > > > > > > > > > > I would prefer 1., as this would always be right - > > expect if > > > your in a > > > > NAT'ed environment... > > > > Preferably NAT could be auto-detected (could it be: if > > traffic > > > is > > > > coming from syslog-server LAN or syslog-server default- > > GW then > > > the > > > > client is not NAT'ed ?) or alternatively > > > IPPacketIP/IPPacketFromHost > > > > (nslookup of IPPacketIP) variables could be added and > > used if > > > it fits > > > > ones environment... ? > > > > > > > > > The best route is to make sure all syslogd'd emit proper > > RFC3164 > > > or RFC5424 > > > format and simply use HOSTNAME. (you may also look at [1] > > for NAT > > > and > > > non-rsyslog). > > > > > > Rainer > > > [1] http://www.rsyslog.com/article19/ > > > > > > > > > > > > > > > Br. > > > > ~maymann > > > > > > > > > > > > 2012/2/7 Rainer Gerhards <[email protected]> > > > > > > > > > > > > That's a regular log file [in RSYSLOG_DebugForm], > > showing > > > the log > > > > messages as > > > > you received them. That's not a debug log that > > shows > > > rsyslog > > > > processing. To > > > > create the later, do the same procedure that you > > used to > > > create > > > > the content > > > > of your mail I received at 8:43am today. *That* > > was a > > > debug log. > > > > Look at the > > > > content of both of your mails and you will > > immediately > > > notice the > > > > difference. > > > > > > > > Please also keep the mailing list CCed... > > > > > > > > > > > > Rainer > > > > > > > > > -----Original Message----- > > > > > From: Michael Maymann > > [mailto:[email protected]] > > > > > > > > > Sent: Tuesday, February 07, 2012 10:28 AM > > > > > To: Rainer Gerhards > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > it states "Debug line with all properties:" all > > over > > > the > > > > logfile... > > > > > Please tell me how to run this thing...? > > > > > > > > > > ~maymann > > > > > > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > <[email protected]> > > > > > > > > > > > > > > > I guess you mistook files: this was not a > > debug > > > log but a > > > > logfile > > > > > ;) > > > > > > > > > > rainer > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Michael Maymann > > > [mailto:[email protected]] > > > > > > > > > > > Sent: Tuesday, February 07, 2012 10:22 > > AM > > > > > > To: Rainer Gerhards > > > > > > Cc: [email protected]; rsyslog-users > > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > > > Just made a shorter run with same info > > > inside... > > > > attached... > > > > > > > > > > > > ~maymann > > > > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > <[email protected]> > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Michael Maymann > > > > [mailto:[email protected]] > > > > > > > > > > > > > Sent: Tuesday, February 07, > > 2012 9:46 > > > AM > > > > > > > To: Rainer Gerhards > > > > > > > Cc: [email protected]; rsyslog- > > users > > > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > > > > > Hi Rainer, > > > > > > > > > > > > > > it is 30Mb - please provide > > ftp- > > > upload... > > > > > > > > > > > > Zipped or plain? If not zipped, > > you can > > > probably > > > > compress > > > > > it by > > > > > > 90+%. Anyhow, > > > > > > the FTP server is > > > > > > > > > > > > > > ftp://custservice.adiscon.com/incoming > > > > > > > > > > > > user anonymous, password whatever > > you > > > like > > > > > > Note that you can only upload, > > NOT read. > > > Most > > > > > importantly, you > > > > > > won't be able > > > > > > to see the file when the upload > > is done. > > > > > > > > > > > > If you can compress and mail the > > file, I > > > can > > > > possibly > > > > > faster > > > > > > access it, just > > > > > > if that's an option. > > > > > > > > > > > > Thanks! > > > > > > Rainer > > > > > > > > > > > > > > > > > > > > > > > > > > br. > > > > > > > ~maymann > > > > > > > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > <[email protected]> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message-- > > --- > > > > > > > > From: Michael Maymann > > > > > [mailto:[email protected]] > > > > > > > > Sent: Tuesday, February > > 07, > > > 2012 8:43 > > > > AM > > > > > > > > To: Rainer Gerhards; > > > [email protected] > > > > > > > > Subject: Re: rsyslog > > tarball > > > > > > > > > > > > > > > > [root@oulog001 log]# > > > /usr/sbin/rsyslogd > > > > -c 6 -d > > > > > > > > > > > > > > > > > > 9788.497831529:7f639a331700: > > > rsyslogd > > > > 6.3.7- > > > > > postexp1 > > > > > > startup, > > > > > > > > compatibility mode 6, > > module > > > path '', > > > > > cwd:/var/log > > > > > > > > > > 9788.497969104:7f639a331700: > > > caller > > > > requested > > > > > object > > > > > > 'net', not > > > > > > > found > > > > > > > > > > > > > > [snip] > > > > > > > > > > > > > > Sorry, this debug info > > does not > > > contain > > > > any of > > > > > the > > > > > > > instrumentation I need (no > > > > > > > case occurred) I guess > > you have > > > cut that > > > > off. > > > > > Please send > > > > > > me a > > > > > > > complete file, > > > > > > > best as an attachment > > (working > > > with saved > > > > mail > > > > > messages > > > > > > is far > > > > > > > less nice :)). > > > > > > > > > > > > > > If the debug log is too > > large to > > > mail, > > > > please let > > > > > me > > > > > > know. I can > > > > > > > provide an > > > > > > > anonymous upload-only ftp > > server > > > in that > > > > case. > > > > > > > > > > > > > > Thanks! > > > > > > > Rainer > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/
