Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's hostname is "127.0.0.1"?

[David Lang via rsyslog]

try

hostname -f
that give the fully qualified hostname, it if returns 127.0.0.1 then somehow 
that is getting set as the hostname and gethostname() is removing all after the 
first '.', resulting in 127 that you are seeing

try setting the hostname

hostname name-you-want

then restart rsyslog and see if it finds the correct name (if so, this is a 
problem in setting the name, not in rsyslog fetching the name)

David Lang


 On Wed, 6 Oct 2021, David Lang 
wrote:

Date: Wed, 6 Oct 2021 15:06:04 -0700 (PDT)
From: David Lang <da...@lang.hm>
To: Derek Atkins <de...@ihtfp.com>
Cc: David Lang <da...@lang.hm>, rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's hostname is
    "127.0.0.1"?

ok, that confirms that the syscall to get the hostname isn't working

Rainer, what call do we make?

David Lang

On Wed, 6 Oct 2021, Derek Atkins wrote:

Date: Wed, 6 Oct 2021 16:20:46 -0400
From: Derek Atkins <de...@ihtfp.com>
To: David Lang <da...@lang.hm>
Cc: rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's hostname is
    "127.0.0.1"?

David,

# cat >> /etc/rsyslog.conf
$template foo,"%$myhostname%/n"
/var/log/myhostname;foo
# /etc/init.d/S01rsyslogd restart
Stopping rsyslogd: OK
Starting rsyslogd: OK
# tail /var/log/myhostname
127/n#

-derek

On Wed, October 6, 2021 2:35 pm, David Lang wrote:
$template foo,"%$myhostname%/n"
/var/log/myhostname;foo

run this for a very short time as it will write a line to this file for
every
log message that arrives :-)

David Lang

On Wed, 6 Oct 2021, Derek Atkins wrote:

Date: Wed, 6 Oct 2021 13:45:56 -0400
From: Derek Atkins <de...@ihtfp.com>
To: David Lang <da...@lang.hm>
Cc: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's hostname
is
    "127.0.0.1"?

David,

I am happy to revert back to the uclibc installation and feed you data,
if
you can give me what to copy-and-paste into my rsyslogd.conf file?

-derek

On Wed, October 6, 2021 1:43 pm, David Lang wrote:
I believe that rsyslog uses the gethostbyname() call to convert the IP
to
name

it would also be interesting to create a custom templete with
%$myhostname% in
it and see what that returns.

I'm not sure if in this case, rsyslog is seeing that there is no
hostname
in the
message and using $myhostname (and that is wrong) or if it's trying to
resolve
127.0.0.1 and that's failing (I suspect that it's the $myhostname
that's
wrong)

If we can identify what's happening, we can then try to create a fix.
It
would
be nice to support non-glibc builds

David Lang


On Wed, 6 Oct 2021, Derek Atkins via rsyslog wrote:

I just rebuilt the Arm platform with GLibc and.... syslog is working.
So I will go and blame uclibc for the bug.

Thank you for getting me to look more closely (and pointing out that
the
issue is that rsyslogd was not getting a valid hostname).

Thanks all!

-derek

On Wed, October 6, 2021 8:36 am, Derek Atkins via rsyslog wrote:
Good morning,

Thank you for your help so far.

I just wanted to add one more piece of data, on my other host
(compiled
in
the same way from the same source in the same BuildRoot manner, but
on
a
different platform), I get what I would expect:

Debug line with all properties:
FROMHOST: 'nios2', fromhost-ip: '127.0.0.1', HOSTNAME: 'nios2', PRI:
46,
     syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
'rsyslogd',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'Oct  6 12:27:44', STRUCTURED-DATA: '-',
msg: ' [origin software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
x-info="https://www.rsyslog.com";] start'
escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
x-pid="1780" x-info="https://www.rsyslog.com";] start'
inputname: imuxsock rawmsg: '<46>Oct  6 12:27:44 rsyslogd: [origin
software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
x-info="https://www.rsyslog.com";] start'
$!:
$.:
$/:

So ... FROMHOST and HOSTNAME are clearly correct here.  So I guess my
question is, what APIs are rsyslogd using to try to obtain this
information?  I can certainly compile additional test code and run it
if
necessary.  I just find it odd that the *host* knows its name but
rsyslogd
can't figure it out?

Actually, looking a little closer, I noticed that I'm using uclibc on
the
arm platform (the broken one), but glibc on the nios2.  I wonder if
this
is the issue?

-derek

On Tue, October 5, 2021 9:13 pm, Derek Atkins via rsyslog wrote:
As I said in my OP:

# hostname
arm-host

and from this query:

# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       arm-host


However, as I also stated in my OP, I another another machine on a
nios2
with the exact same configuration and there the log messages say the
correct hostname.

-derek

On Tue, October 5, 2021 8:52 pm, David Lang wrote:
what is in /etc/hosts and what do you get if you run the command
hostname?

rsyslog gets fromhost by doing a name lookup of the fromhost-ip

the log message you received (as seen by the rawmsg: section) does
not
provide a
hostname (which could have been the problem)

so based on this, the problem is with name resolution, which should
start
with
/etc/hosts and hostname

David Lang

On Tue, 5 Oct 2021, Derek Atkins wrote:

Date: Tue, 5 Oct 2021 20:28:34 -0400
From: Derek Atkins <de...@ihtfp.com>
To: David Lang <da...@lang.hm>
Cc: rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
"127.0.0.1"?

Hi,

Thank you for the quick response.

The logging here is all done locally, and the issue is in EVERY
log
message.  The source is local (a call to vsyslog() in an
application),
or
even just a call to "logger".  Here is the resulting log message
from
rsyslogd starting up:

Debug line with all properties:
FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127', PRI:
46,
syslogtag 'syslog:', programname: 'syslog', APP-NAME: 'syslog',
PROCID:
'-', MSGID: '-',
TIMESTAMP: 'Oct  6 00:14:18', STRUCTURED-DATA: '-',
msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
x-pid="17368"
x-info="https://www.rsyslog.com";] start'
escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
x-pid="17368" x-info="https://www.rsyslog.com";] start'
inputname: imuxsock rawmsg: '<46>Oct  6 00:14:18 syslog: [origin
software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
x-info="https://www.rsyslog.com";] start'
$!:
$.:
$/:

So... no clue where "FROMHOST" or "HOSTNAME" are coming from here,
but
my
guess that's the problem?

I can run the same config on the nios2 if you want to see what it
says,
but my guess is that FROMHOST and HOSTNAME are going to both be
"nios2"
instead of "127".

The contents of /etc/hosts is effectively the same on both
machines
(the
one that works correctly and this one).

Thanks,

-derek

On Tue, October 5, 2021 6:16 pm, David Lang wrote:
please log with the template RSYSLOG_DebugFormat so that we can
see
exactly what
rsyslog is being sent for a problem message.

David Lang

On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:

Date: Tue, 5 Oct 2021 15:58:07 -0400
From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: Derek Atkins <de...@ihtfp.com>
Subject: [rsyslog] RSyslog thinks my machine's hostname is
"127.0.0.1"?

Hi,

I'm using rsyslog in a BuildRoot environment.  I've built it on
two
different platforms (nios2 and arm).  The Nios2 platform works
great.
However, on the Arm platform, rsyslog seems to think the local
hostname
is
"127.0.0.1".  Why do I think that?  Well, /var/log/messages
contains:

Oct  5 19:34:25 127 syslog: [origin software="rsyslogd"
swVersion="8.2010.0" x-pid="8080"
x-info="https://www.rsyslog.com";]
start

Notice the "127" in there?  That's where the "hostname" is
supposed
to
be.
So if for some reason it thinks the FQDN is an IP address, that
would
explain why this is doing that.  But that's weird, because:

# hostname
arm-host

Moreover, if I compile and run the code to execute a
"gethostbyname()"
it
also returns "arm-host".  So I have no idea where it's getting
the
idea
that the hostname/FQDN is an IP Address.

I'll note that on the Nios2 this works as expected:

Sep 30 19:28:41 nios2 rsyslogd: [origin software="rsyslogd"
swVersion="8.2010.0" x-pid="830"
x-info="https://www.rsyslog.com";]
start

I'll say this is the same version of rsyslog on both systems,
built
with
the same sources, and (ostensibly) with the same build-time, and
definitely the same run-time configurations.

I'm just at a loss for why rsyslog might be doing this, and I'm
not
sure
where else to look.

So I'm hoping you experts might be able to help me?

Thanks!

-derek









--
       Derek Atkins                 617-623-3745
       de...@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you
DON'T LIKE THAT.



--
       Derek Atkins                 617-623-3745
       de...@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you
DON'T LIKE THAT.













_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.