I am using a combination of rsyslogd and Splunk for syslog in order to please different requirements within my organization and have ran into a problem.
The hostnames of some devices is not being recorded correctly. I've tried both of the following: #$template default,"/var/log/syslog/%HOSTNAME%/%HOSTNAME%.log" #*.* ?Default $template DynaFile,"/var/log/syslog/%HOSTNAME%/%HOSTNAME%.log" *.* -?DynaFile And either way I end up with a directory and file named either "Apr" or "2012" on a few devices. If I do a tcpdump I can verify that the source information is coming into the machine. Then I tried to do a forward to forward the logs to localhost:10514 just so I could test if Splunk would get the hostname from a forwarded message. No luck. However if I turn rsyslogd off and turn Splunk to listen directly to port 514 it works fine. So somehow rsyslogd is not getting the hostname correctly. I am running a bit older version: rsyslogd 4.6.2, compiled with: FEATURE_REGEXP: Yes FEATURE_LARGEFILE: No FEATURE_NETZIP (message compression): Yes GSSAPI Kerberos 5 support: Yes FEATURE_DEBUG (debug build, slow code): No Atomic operations supported: Yes Runtime Instrumentation (slow code): No Thoughts? Thanks! _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
