> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of David Lang > Sent: Friday, January 25, 2013 7:54 AM > To: rsyslog-users > Subject: Re: [rsyslog] Preserve full FQDNs in logs while sending from rsyslog > to syslog-ng > > did you also change your default template statement to use your new > format?
There is some pretty old functionality to remove domain parts from the hostname (it's a sysklogd leftover). I think it is still controlled by command line options (-l, -s?). Also, there is a setting $PreserveFQDN (or so) that must be enabled to not do too much mangling. Finally, some older versions always removed the local domain (I fixed that maybe three years ago, I think, but many distros carry that old versions). Maybe this is another direction to look at. HTH Rainer > > It's also useful to write a log with the RSYSLOG_DebugFormat, it lists all the > variables that are set so that you can pick which one you want to use. > > also, are you sure that syslog-ng was using the hostname from the message, > not doing a reverse DNS lookup to get the hostname? (that would be the > %FROMHOST% variable in rsyslog) > > David Lang > > On Fri, 25 Jan 2013, shadyabhi wrote: > > > Hi David, > > > > Thanks for you reply. I added, > > > > # A template that resambles traditional syslogd file output: > > $template TraditionalFormat,"%timegenerated% %HOSTNAME% > > %syslogtag%%msg:::drop-last-lf%\n" > > > > to my already existing rsyslog.conf but it didn't help. Can you please > > be more specific about how the conf file should look like? > > > > > > On 01/25/2013 12:27 AM, David Lang wrote: > >> you want to change your default template, the TraditionalFileFormat > >> matches the old syslog RFC, which specifies that hostnames should be > shortened. > >> > >> David Lang > >> > >> On Thu, 24 Jan 2013, shadyabhi wrote: > >> > >>> Date: Thu, 24 Jan 2013 18:10:48 +0530 > >>> From: shadyabhi <[email protected]> > >>> Reply-To: rsyslog-users <[email protected]> > >>> To: [email protected] > >>> Subject: [rsyslog] Preserve full FQDNs in logs while sending from > >>> rsyslog to > >>> syslog-ng > >>> > >>> Hi, > >>> > >>> I am trying to send logs from rsyslog to syslog-ng server via UDP. > >>> If the hostname for the box is foobar.server.com, I only get foobar in the > logs. > >>> For ex, I get > >>> > >>> Jan 24 12:31:08 foobar policyd: connection from: 127.0.0.1 port: > >>> 45594 > >>> slots: 0 of 4096 used > >>> but what I expected was: > >>> Jan 24 12:31:08 foobar.server.com policyd: connection from: > >>> 127.0.0.1 > >>> port: 45594 slots: 0 of 4096 used > >>> > >>> My rsyslog.conf: > >>> > >>> $ModLoad imuxsock > >>> $ModLoad imklog > >>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > >>> $IncludeConfig /etc/rsyslog.d/*.conf $PreserveFQDN on > >>> *.info;mail.none;authpriv.none;cron.none /var/log/messages > >>> authpriv.* /var/log/secure > >>> mail.* -/var/log/maillog > >>> cron.* /var/log/cron > >>> *.emerg * > >>> uucp,news.crit /var/log/spooler > >>> local7.* /var/log/boot.log > >>> @syslog.server.com:514 > >>> > >>> And my syslog-ng.conf looks like: http://sprunge.us/OUOL > >>> > >>> Also, I want to point out that sending logs from syslog to syslog-ng > >>> works perfectly. > >>> > >>> > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > >> you DON'T LIKE THAT. > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
