I am using rsyslog-5.8.10-2.el6.x86_64 to send & receiving via syslog-ng-3.2.5-3.el6.x86_64.
When I send from sysklogd-1.4.1-46.el5, it works without any issues. Thing is, the new boxes that are being setup has Cent OS6 and it comes with rsyslog so I've to somehow make it work. Syslog in Cent OS 5 that works is started with options "-m 0 -x". I already have the $PreserveFQDN as on so I don't know what's deleting the part of hostname. I also checked both "-l" and "-s" are there to trim the hostname and not to expand & I don't have any of those. I start the rsyslog as: [root@server]# pgrep -fl sysl 11892 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5 [root@server]# On Fri, Jan 25, 2013 at 12:31 PM, Rainer Gerhards <[email protected]>wrote: > > -----Original Message----- > > From: [email protected] [mailto:rsyslog- > > [email protected]] On Behalf Of David Lang > > Sent: Friday, January 25, 2013 7:54 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] Preserve full FQDNs in logs while sending from > rsyslog > > to syslog-ng > > > > did you also change your default template statement to use your new > > format? > > There is some pretty old functionality to remove domain parts from the > hostname (it's a sysklogd leftover). I think it is still controlled by > command line options (-l, -s?). Also, there is a setting $PreserveFQDN (or > so) that must be enabled to not do too much mangling. Finally, some older > versions always removed the local domain (I fixed that maybe three years > ago, I think, but many distros carry that old versions). > > Maybe this is another direction to look at. > > HTH > Rainer > > > > It's also useful to write a log with the RSYSLOG_DebugFormat, it lists > all the > > variables that are set so that you can pick which one you want to use. > > > > also, are you sure that syslog-ng was using the hostname from the > message, > > not doing a reverse DNS lookup to get the hostname? (that would be the > > %FROMHOST% variable in rsyslog) > > > > David Lang > > > > On Fri, 25 Jan 2013, shadyabhi wrote: > > > > > Hi David, > > > > > > Thanks for you reply. I added, > > > > > > # A template that resambles traditional syslogd file output: > > > $template TraditionalFormat,"%timegenerated% %HOSTNAME% > > > %syslogtag%%msg:::drop-last-lf%\n" > > > > > > to my already existing rsyslog.conf but it didn't help. Can you please > > > be more specific about how the conf file should look like? > > > > > > > > > On 01/25/2013 12:27 AM, David Lang wrote: > > >> you want to change your default template, the TraditionalFileFormat > > >> matches the old syslog RFC, which specifies that hostnames should be > > shortened. > > >> > > >> David Lang > > >> > > >> On Thu, 24 Jan 2013, shadyabhi wrote: > > >> > > >>> Date: Thu, 24 Jan 2013 18:10:48 +0530 > > >>> From: shadyabhi <[email protected]> > > >>> Reply-To: rsyslog-users <[email protected]> > > >>> To: [email protected] > > >>> Subject: [rsyslog] Preserve full FQDNs in logs while sending from > > >>> rsyslog to > > >>> syslog-ng > > >>> > > >>> Hi, > > >>> > > >>> I am trying to send logs from rsyslog to syslog-ng server via UDP. > > >>> If the hostname for the box is foobar.server.com, I only get foobar > in the > > logs. > > >>> For ex, I get > > >>> > > >>> Jan 24 12:31:08 foobar policyd: connection from: 127.0.0.1 port: > > >>> 45594 > > >>> slots: 0 of 4096 used > > >>> but what I expected was: > > >>> Jan 24 12:31:08 foobar.server.com policyd: connection from: > > >>> 127.0.0.1 > > >>> port: 45594 slots: 0 of 4096 used > > >>> > > >>> My rsyslog.conf: > > >>> > > >>> $ModLoad imuxsock > > >>> $ModLoad imklog > > >>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > >>> $IncludeConfig /etc/rsyslog.d/*.conf $PreserveFQDN on > > >>> *.info;mail.none;authpriv.none;cron.none /var/log/messages > > >>> authpriv.* /var/log/secure > > >>> mail.* -/var/log/maillog > > >>> cron.* /var/log/cron > > >>> *.emerg * > > >>> uucp,news.crit /var/log/spooler > > >>> local7.* /var/log/boot.log > > >>> @syslog.server.com:514 > > >>> > > >>> And my syslog-ng.conf looks like: http://sprunge.us/OUOL > > >>> > > >>> Also, I want to point out that sending logs from syslog to syslog-ng > > >>> works perfectly. > > >>> > > >>> > > >> _______________________________________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> http://www.rsyslog.com/professional-services/ > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > >> you DON'T LIKE THAT. > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond > > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- Regards, Abhijeet Rastogi (shadyabhi) https://plus.google.com/107316377741966576356/ _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
