Re: [rsyslog] Template expands to IP address instead of a host name

Tue, 19 Aug 2014 08:34:10 -0700 

On Tue, 19 Aug 2014, Ivan Lezhnjov IV wrote:


Hello,

On Aug 15, 2014, at 6:17 PM, Rainer Gerhards <[email protected]> wrote:


On Fri, Aug 15, 2014 at 5:13 PM, Mike Hoskins (michoski) <[email protected]

wrote:



I thought %FROMHOST% caused a DNS lookup on rsyslog's side, while
%HOSTNAME% just used the hostname sent in the message...others will
correct if my memory is bad.



That's right, but I think we fall back to a dns lookup if there is no
detectable hostname in the message(not 100% sure, though).



So if %HOSTNAME% is not right, it must be
something on the client side.



can very well be, but sounded more like DNS resolution.



I think you just use %rawmsg% to get the raw message.  :-)

http://www.rsyslog.com/doc/property_replacer.html



yup or use

*.* /var/log/messagedebug;RSYSLOG_DebugFormat

which will write out all properties.


This is how a normal message looks like:

Debug line with all properties:
FROMHOST: '172.16.16.4', fromhost-ip: '172.16.16.4', HOSTNAME: 'xyz-DDDD-02', 
PRI: 86,
syslogtag 'su[42661]:', programname: 'su', APP-NAME: 'su', PROCID: '42661', 
MSGID: '-',
TIMESTAMP: 'Aug 19 02:11:58', STRUCTURED-DATA: '-',
msg: ' pam_unix(su:session): session closed for user postgres'
escaped msg: ' pam_unix(su:session): session closed for user postgres'
inputname: imtcp rawmsg: '<86>Aug 19 02:11:58 xyz-DDDD-02 su[42661]: 
pam_unix(su:session): session closed for user postgres'
Are we interested in this only, or also what debug message is going to look like when the suspected DNS resolution failure occurs again? 

It would be good to get one of a failing message
In this case, the HOSTNAME is pulled directly from the rawmsg, so no DNS lookup is done there.
normally FROMHOST is a DNS lookup of fromhost-ip, so this message shows a "normal" DNS failure.
This makes me think that you have a situation where the sender isn't properly populating the hostname field of the message under some conditions. 

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to