The short answer is that most probably devices send messages in malformed format.
The long answer - including cures - is provided here: http://www.rsyslog.com/doc/syslog_parsing.html It's a long document and it points you to some other resources. All of them are important if you really want to understand what's going on - and solve it... HTH Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Luke Marrott > Sent: Friday, April 13, 2012 5:14 PM > To: [email protected] > Subject: [rsyslog] Incorrect hostname from %hostname% > > I am using a combination of rsyslogd and Splunk for syslog in order to > please different requirements within my organization and have ran into > a > problem. > > The hostnames of some devices is not being recorded correctly. > > I've tried both of the following: > #$template default,"/var/log/syslog/%HOSTNAME%/%HOSTNAME%.log" > #*.* ?Default > > $template DynaFile,"/var/log/syslog/%HOSTNAME%/%HOSTNAME%.log" > *.* -?DynaFile > > And either way I end up with a directory and file named either "Apr" or > "2012" on a few devices. > > If I do a tcpdump I can verify that the source information is coming > into > the machine. > > Then I tried to do a forward to forward the logs to localhost:10514 > just so > I could test if Splunk would get the hostname from a forwarded message. > > No luck. However if I turn rsyslogd off and turn Splunk to listen > directly > to port 514 it works fine. > > So somehow rsyslogd is not getting the hostname correctly. > > I am running a bit older version: > > rsyslogd 4.6.2, compiled with: > FEATURE_REGEXP: Yes > FEATURE_LARGEFILE: No > FEATURE_NETZIP (message compression): Yes > GSSAPI Kerberos 5 support: Yes > FEATURE_DEBUG (debug build, slow code): No > Atomic operations supported: Yes > Runtime Instrumentation (slow code): No > > > Thoughts? > > Thanks! > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
