James, the DNS lookups are done even if you don't use fromhost in any template,
rsyslog populates it even if you don't use it.
fromhost-ip doesn't do any DNS lookups
if you start rsyslog with the -x flag it won't do DNS lookups.
David Lang
On Tue, 4 Jun 2013, Boylan, James wrote:
If you decide to start using fromhost or fromhost-ip as a standard part of your
template I highly recommend installing nscd (For *nix, or your OS equivalent)
so that the DNS queries are cache. Otherwise you can put a considerable amount
of extra load onto your DNS servers.
-James
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David Lang
Sent: Tuesday, June 04, 2013 1:35 AM
To: rsyslog-users
Subject: Re: [rsyslog] Debug not working
On Mon, 3 Jun 2013, Eric wrote:
Maybe a health check from a load balancer? I know I had to set specific discard
rules for the host (F5) that was executing the health check, otherwise I'd get
random spam like this.
Eric
On Jun 3, 2013, at 2:23 PM, Josh Bitto <[email protected]> wrote:
I am trying to run a debug to track down an issue that I'm having, and it isn't
creating the file.
This is the line that I have in my config.
*.* /var/log/debugformat;RSYSLOG_DebugFormat
The reason why I'm trying to do a debug is I'm getting a directory that has no
real host name. I have my config setup on templates and based on Hosts that
come in they get assigned to a specific directory.
So that being said I get a directory (which is supposed to be legit host names
that I have on my network.
Example:
/hosts/host1
/hosts/host2
/hosts/host3...etc.
But I am picking up one that I have no idea what it is /hosts/last
And the contents of the folder is a file named success and the contents of the file is
"last message repeated 3 times"
They have time stamps and it just repeats over and over. I don't believe I have
an error in my config, but I could be wrong. Any suggestions?
you have some system on your network that is set to collapse duplicate messages
into 'last message repeated X times' logs, and when it's sending that out, it
doesn't bother to put it's hostname in the message, so when the central box
gets it, it follows the parsing rule and can't tell that 'last' is not a
hostname.
Since you are loggign in debug format, you should be able to see the fromhost
or fromhost-ip, which will tell you which box is doing this.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
