David, I looked at my rsyslog.conf and there are no functions that I can find for the preservefqdn. I can send a copy of my config if you want. Anywho I can talk with the admin that handles those two systems and see if he made any changes that could support your theory.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of David Lang Sent: Friday, June 21, 2013 4:35 PM To: rsyslog-users Subject: Re: [rsyslog] Changes from update? On Fri, 21 Jun 2013, Josh Bitto wrote: > > Doing a reverse lookup I get the entire fqdn....which has always been the > case for any reverse lookup. > > For rsyslog that hasn't been the case. When I finally put rsyslog into > production the host names would come up with generic names. NOT the fqdn > which I was fine with that. > > Some more information to help shed light on this.... > > > On May 30th I updated from > Updated rsyslog-7.2.6-3.el6.x86_64 TO 7.2.7-1.el6.x86_64 via yum > update > > Today I updated from > Updated rsyslog-7.2.7-1.el6.x86_64 TO 7.4.1-1.el6.x86_64 via > yum update > > So up until today the way that rsyslog was handling the host names would be > like this. > > If my fqdn was server1.test.domain.lan then it would put it in a > folder labeled server1 As of the change it goes to a folder with the full > fqdn. Ok, that does help. There is a config option called preservefqdn, it sounds like it's gotten turned on. this could be a bug, or it could be that you include configs (say from /etc/rsyslog.conf.d) and something in the upgrade dropped a config file in there. check that and also try explicitly turning it off Also, this only strips off the domain part of the name if it's the same as the server, did this change? Another thing to check is to see if the sending system is putting the full name or the short name in the log when it sends it out. The fact that this is only happening for a couple of systems makes me suspicious of the senders have started to put it in the log when they send it. David Lang > Hope this helps with clarity. > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of David Lang > Sent: Friday, June 21, 2013 3:06 PM > To: rsyslog-users > Subject: Re: [rsyslog] Changes from update? > > $source is a reverse DNS lookup of the IP address that the logs come from. > what do you get when you do a nslookup of those IP addresses? > > hostname should be what's in the message, is that no longer the case? > > David Lang > > On Fri, 21 Jun 2013, Josh Bitto wrote: > >> Hello Everyone, >> >> Well I did an update on my syslog server that uses rsyslog. I went from >> version (whatever was current in april) to rsyslog-7.4.1-1.el6.x86_64 as >> well as other updates (yum update) when I restarted the service for rsyslog >> it changed the nature of two hosts that are logged to their respective >> allocations. >> >> I looked at the config and the rsyslog.conf has not changed at all. >> >> So my question is with the newest release available from a centos mirror >> would there be in any changes that were made that would define how to log >> data that comes in? >> >> Sample of my config that pertains to this issue: >> >> $template zonedir,"/var/log/hosts/%HOSTNAME%/messages" >> $template zonedir1,"/var/log/hosts/%HOSTNAME%/success" >> >> >> if $source == 'zonedirector.it.kcc.lan' and $syslogseverity <= '4' >> then{ >> *.* ?zonedir >> } else { >> *.* ?zonedir1 >> stop >> } >> >> Under normal circumstances the way that it would be logged is to >> /var/log/hosts/hostname/messages /var/log/hosts/hostname/success >> >> NOW....what is happening is I'm getting an entirely new directory with the >> full fqdn as the directory name. >> /var/log/hosts/fqdn.at.some.network/messages >> >> Which includes both message and success logs as outlined in the above config. >> >> There are only two hosts that are doing this, but both of them are doing the >> same thing. The weird part is there are other hosts that are also setup the >> exact same way and they are not logging in this manner. Any ideas? >> >> The reason I have it setup is this way is that I can still log crucial and >> non-crucial data and point my splunk server to a crucial file location for >> indexing. >> >> >> Joshua Bitto >> Information Technologist >> KCC >> >> >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites >> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE >> THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This > is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our > control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
