On 2/19/2018 9:26 AM, deoren wrote:
On 2/19/2018 8:52 AM, Graham Leggett via rsyslog wrote:
Hi all,

I have a number of java services that include support for logging to syslog, but unfortunately they can only log by sending udp packets to port 514.

This is not in itself a problem, however these services have no stable predictable behaviour when it comes to hostname handling, and so we have some logging “localhost”, others logging the shortname, and there is no practical way for us to fix this.

rsyslog supports using a lookup table and also supports reloading that lookup table upon receiving a HUP signal.

I briefly fought the battle you described before giving up and building a JSON file that mapped known hostnames to IPs (or vice versa I guess) so that I could have stable results.

I can't say whether this is the better approach or whether having complete A/PTR records for those devices is the better approach, but I opted for the JSON file as it seemed a simpler option. Mid to long term I have the option of generating the file from a database and then passing rsyslog SIGHUP to use the new file.



> What I need to do is configure rsyslogd to, when it receives messages from localhost port 514 (only only this), override the hostname being forwarded and set that hostname to the FQDN of the rsyslogd machine.

Note: I've not had to do this specific step, but if I had to configure the system to receive 514/udp from remote systems and 514/udp from the local system I might try to configure as separate inputs and then attach a ruleset to the input just for messages that you planned to rewrite. I don't know if there is a performance gain either way, but using a UNIX socket might allow for larger message passing (I don't know this, but I would suspect this to be true and then double-check to be sure).

> Does rsyslogd have any functionaly to rewrite log entries as they go past?
> Given that these messages are forwarded upstream (and therefore the FQDN matters), I am assuming the template functionality is no going to work for us?

From what I understand, templates are used to control the format for output. When forwarding messages, that is considered output so templates are available to modify the outgoing content to suit your needs.

Other may have better advice, but here is what I would attempt:

For example, take the standard forwarding template ("ForwardFormat", RFC3164):

template(name="ForwardFormat" type="list") {
     property(name="timestamp" dateFormat="rfc3339")
     constant(value=" ")
     constant(value=" ")
     property(name="syslogtag" position.from="1" position.to="32")
     property(name="msg" spifno1stsp="on" )

Here the hostname property is being referenced. You could hard-code a value to use in its place (in which case property(name="hostname") would become constant(value="MyIntendedNameHere")) or reference a local variable or JSON message property built elsewhere in your configuration.

You'd then apply this template to your outgoing/forwarded messages.


Some of my earlier response alluded to %HOSTNAME% containing values based on DNS-lookups. I mentally mixed up %HOSTNAME% and %FROMHOST% when I responded.

My remarks regarding a lookup table are still relevant if you're dealing with systems that provide unreliable data in the hostname field of generated messages and need to override the provided value with stable values that you define.

rsyslog mailing list
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 

Reply via email to