$source is a reverse DNS lookup of the IP address that the logs come from. what
do you get when you do a nslookup of those IP addresses?
hostname should be what's in the message, is that no longer the case?
David Lang
On Fri, 21 Jun 2013, Josh Bitto wrote:
Hello Everyone,
Well I did an update on my syslog server that uses rsyslog. I went from version
(whatever was current in april) to rsyslog-7.4.1-1.el6.x86_64 as well as other
updates (yum update) when I restarted the service for rsyslog it changed the
nature of two hosts that are logged to their respective allocations.
I looked at the config and the rsyslog.conf has not changed at all.
So my question is with the newest release available from a centos mirror would
there be in any changes that were made that would define how to log data that
comes in?
Sample of my config that pertains to this issue:
$template zonedir,"/var/log/hosts/%HOSTNAME%/messages"
$template zonedir1,"/var/log/hosts/%HOSTNAME%/success"
if $source == 'zonedirector.it.kcc.lan' and $syslogseverity <= '4' then{
*.* ?zonedir
} else {
*.* ?zonedir1
stop
}
Under normal circumstances the way that it would be logged is to
/var/log/hosts/hostname/messages
/var/log/hosts/hostname/success
NOW....what is happening is I'm getting an entirely new directory with the full
fqdn as the directory name.
/var/log/hosts/fqdn.at.some.network/messages
Which includes both message and success logs as outlined in the above config.
There are only two hosts that are doing this, but both of them are doing the
same thing. The weird part is there are other hosts that are also setup the
exact same way and they are not logging in this manner. Any ideas?
The reason I have it setup is this way is that I can still log crucial and
non-crucial data and point my splunk server to a crucial file location for
indexing.
Joshua Bitto
Information Technologist
KCC
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
