fromhost is the result of a name lookup of fromhost-ip. On the receiver, you can
control this with your name resolution (DNS, /etc/hosts, other mechanisms)
but a better option would probably be to set the hostname on the sender. The
hostname field in the message is under the full control of the sender.
David Lang
On Tue, 16 Nov 2021, Scott Slattery via rsyslog wrote:
Date: Tue, 16 Nov 2021 14:56:09 -0700
From: Scott Slattery via rsyslog <[email protected]>
To: rsyslog-users <[email protected]>
Cc: Scott Slattery <[email protected]>
Subject: [rsyslog] FROMHOST missing on central log collector
Hello,
I have a central log server, many of them, using rsyslog to aggregate logs
from remote servers. Everything works great but I have a new challenge and
am hoping for some recommendations.
I have a number of AWS auto-scaling groups where compute resources are
dynamically scaled up and down. Each of these will have a custom rsyslog
configuration pulled from the AWS AMI.
These dynamic resources are not added to DNS due to their dynamic nature so
they will not have DNS assigned FQDNs.
Because of the lack of a hostname, my central log server is getting only
IP. I aggregate based on FROMHOST-FROMHOST-IP.
So what I'm seeing today looks like '10.38.134.77-10.38.134.77' where I
want to see ause1oagbtst03.mydomain.com-10.41.102.168
What I'd want to do is have easy resource send using the same hostname and
current IP. This later will allow me to aggregate all resources by name.
I did not see any way of affecting the FROMHOST information unless, on the
collector, I have rules based on IP address which isn't optimal given the
dynamic nature of the IPs changing.
Any suggestion is appreciated.
*Scott Slattery*
*Sr. Enterprise/Cloud Architect*
*Cloud, Compute, Information & Architecture Team*
motorolasolutions.com
*O: 602.529.8226*
*E*: [email protected]
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
