Thanks Rainer, I actually reverted back to the previous version and can confirm it. It started logging the initial way that it has been. So I think I will keep with that version for now.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rainer Gerhards Sent: Monday, June 24, 2013 8:46 AM To: rsyslog-users Subject: Re: [rsyslog] Changes from update? On Mon, Jun 24, 2013 at 5:26 PM, Josh Bitto <[email protected]> wrote: > David, > > I looked at my rsyslog.conf and there are no functions that I can find > for the preservefqdn. I can send a copy of my config if you want. > Anywho I can talk with the admin that handles those two systems and > see if he made any changes that could support your theory. > > The ChangeLog tells that in 7.3.11 there was a bugfix for FQDN's not being properly handled. It claims this bug: http://bugzilla.adiscon.com/show_bug.cgi?id=426 Sounds like this is related. Rainer > > > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of David Lang > Sent: Friday, June 21, 2013 4:35 PM > To: rsyslog-users > Subject: Re: [rsyslog] Changes from update? > > On Fri, 21 Jun 2013, Josh Bitto wrote: > > > > > Doing a reverse lookup I get the entire fqdn....which has always > > been > the case for any reverse lookup. > > > > For rsyslog that hasn't been the case. When I finally put rsyslog > > into > production the host names would come up with generic names. NOT the > fqdn which I was fine with that. > > > > Some more information to help shed light on this.... > > > > > > On May 30th I updated from > > Updated rsyslog-7.2.6-3.el6.x86_64 TO 7.2.7-1.el6.x86_64 > via yum update > > > > Today I updated from > > Updated rsyslog-7.2.7-1.el6.x86_64 TO 7.4.1-1.el6.x86_64 > via yum update > > > > So up until today the way that rsyslog was handling the host names > > would > be like this. > > > > If my fqdn was server1.test.domain.lan then it would put it in a > > folder labeled server1 As of the change it goes to a folder with the > full fqdn. > > Ok, that does help. There is a config option called preservefqdn, it > sounds like it's gotten turned on. > > this could be a bug, or it could be that you include configs (say from > /etc/rsyslog.conf.d) and something in the upgrade dropped a config > file in there. > > check that and also try explicitly turning it off > > Also, this only strips off the domain part of the name if it's the > same as the server, did this change? > > Another thing to check is to see if the sending system is putting the > full name or the short name in the log when it sends it out. > > The fact that this is only happening for a couple of systems makes me > suspicious of the senders have started to put it in the log when they > send it. > > David Lang > > > Hope this helps with clarity. > > > > > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of David Lang > > Sent: Friday, June 21, 2013 3:06 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Changes from update? > > > > $source is a reverse DNS lookup of the IP address that the logs come > from. what do you get when you do a nslookup of those IP addresses? > > > > hostname should be what's in the message, is that no longer the case? > > > > David Lang > > > > On Fri, 21 Jun 2013, Josh Bitto wrote: > > > >> Hello Everyone, > >> > >> Well I did an update on my syslog server that uses rsyslog. I went > >> from > version (whatever was current in april) to rsyslog-7.4.1-1.el6.x86_64 > as well as other updates (yum update) when I restarted the service for > rsyslog it changed the nature of two hosts that are logged to their > respective allocations. > >> > >> I looked at the config and the rsyslog.conf has not changed at all. > >> > >> So my question is with the newest release available from a centos > mirror would there be in any changes that were made that would define > how to log data that comes in? > >> > >> Sample of my config that pertains to this issue: > >> > >> $template zonedir,"/var/log/hosts/%HOSTNAME%/messages" > >> $template zonedir1,"/var/log/hosts/%HOSTNAME%/success" > >> > >> > >> if $source == 'zonedirector.it.kcc.lan' and $syslogseverity <= '4' > >> then{ > >> *.* ?zonedir > >> } else { > >> *.* ?zonedir1 > >> stop > >> } > >> > >> Under normal circumstances the way that it would be logged is to > >> /var/log/hosts/hostname/messages /var/log/hosts/hostname/success > >> > >> NOW....what is happening is I'm getting an entirely new directory > >> with > the full fqdn as the directory name. > >> /var/log/hosts/fqdn.at.some.network/messages > >> > >> Which includes both message and success logs as outlined in the > >> above > config. > >> > >> There are only two hosts that are doing this, but both of them are > doing the same thing. The weird part is there are other hosts that are > also setup the exact same way and they are not logging in this manner. Any > ideas? > >> > >> The reason I have it setup is this way is that I can still log > >> crucial > and non-crucial data and point my splunk server to a crucial file > location for indexing. > >> > >> > >> Joshua Bitto > >> Information Technologist > >> KCC > >> > >> > >> > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > >> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
