Nit sure about the letter, but a 4 digit nbr in the range of 2000-2050 should work well. Shouldnt it?
Rainer "[email protected]" <[email protected]> hat geschrieben:log some of the offending messages using the format RSYSLOG_Debug so that we can see the raw message and how it's parsed. As Rainer says, it's probably generating a message that doesn't quite comply with the syslog specs (for example, the syslog spec doesn't include a year in the timestamp) Once we see what'd going on, we can look at fixing it. Rainer, I believe that hostnames are required to have a letter in them somewhere, so it may be worth tweaking the parser so that if the hostname field has no letters in it and is a 4 digit number, treat it as the year part of the timestamp. David Lang On Fri, 13 Apr 2012, Luke Marrott wrote: > Date: Fri, 13 Apr 2012 09:13:48 -0600 > From: Luke Marrott <[email protected]> > Reply-To: rsyslog-users <[email protected]> > To: [email protected] > Subject: [rsyslog] Incorrect hostname from %hostname% > > I am using a combination of rsyslogd and Splunk for syslog in order to > please different requirements within my organization and have ran into a > problem. > > The hostnames of some devices is not being recorded correctly. > > I've tried both of the following: > #$template default,"/var/log/syslog/%HOSTNAME%/%HOSTNAME%.log" > #*.* ?Default > > $template DynaFile,"/var/log/syslog/%HOSTNAME%/%HOSTNAME%.log" > *.* -?DynaFile > > And either way I end up with a directory and file named either "Apr" or > "2012" on a few devices. > > If I do a tcpdump I can verify that the source information is coming into > the machine. > > Then I tried to do a forward to forward the logs to localhost:10514 just so > I could test if Splunk would get the hostname from a forwarded message. > > No luck. However if I turn rsyslogd off and turn Splunk to listen directly > to port 514 it works fine. > > So somehow rsyslogd is not getting the hostname correctly. > > I am running a bit older version: > > rsyslogd 4.6.2, compiled with: > FEATURE_REGEXP: Yes > FEATURE_LARGEFILE: No > FEATURE_NETZIP (message compression): Yes > GSSAPI Kerberos 5 support: Yes > FEATURE_DEBUG (debug build, slow code): No > Atomic operations supported: Yes > Runtime Instrumentation (slow code): No > > > Thoughts? > > Thanks! > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
