Thanks David, I could be wrong but the resolution seems to be happening at the log collection server, not the client end. Given this, I'm not sure anything outside of rsyslog on the client would affect what the receiving collection server is seeing.
My hope was that this could be affected by RSYSLOG on the client device but perhaps not. I'll also look into AWS to see if a dynamically created compute resource can automatically be registered with DNS. If anything else comes to mind, let me know. As always, I appreciate your feedback. *Scott Slattery* *Sr. Enterprise/Cloud Architect* *Cloud, Compute, Information & Architecture Team* motorolasolutions.com *O: 602.529.8226* *E*: [email protected] On Tue, Nov 16, 2021 at 4:37 PM David Lang <[email protected]> wrote: > Linux has a rather sophisticated mechanism for plugging in arbitrary ways > of > doing name resolution. DNS has 'won' but hitorically there have been many > other > options. Research nsswitch (/etc/nsswitch.conf) and see if there is > something > that you can leverage. > > or, if you can set the hostname of the resources as they are created to be > some > predicatable pattern rather than the AWS default of IP based, you can then > make > your logic use that. (This is the approach I would look into). What > mechanism > this will be will depend on how you are configuring/provisioning the > systems. > > David Lang > > > > On Tue, 16 Nov 2021, Scott Slattery wrote: > > > Date: Tue, 16 Nov 2021 15:14:51 -0700 > > From: Scott Slattery <[email protected]> > > To: David Lang <[email protected]> > > Cc: Scott Slattery via rsyslog <[email protected]> > > Subject: Re: [rsyslog] FROMHOST missing on central log collector > > > > Thanks, David, I was hoping this was possible. Since the compute > resources > > are dynamic, using any sort of local /etc/hosts would be impossible since > > the IP are unpredictable. Can you point me to how I would do this on the > > client-server? > > > > Thanks > > > > *Scott Slattery* > > > > *Sr. Enterprise/Cloud Architect* > > > > *Cloud, Compute, Information & Architecture Team* > > > > motorolasolutions.com > > > > *O: 602.529.8226* > > > > *E*: [email protected] > > > > > > > > > > On Tue, Nov 16, 2021 at 2:59 PM David Lang <[email protected]> wrote: > > > >> fromhost is the result of a name lookup of fromhost-ip. On the receiver, > >> you can > >> control this with your name resolution (DNS, /etc/hosts, other > mechanisms) > >> > >> but a better option would probably be to set the hostname on the sender. > >> The > >> hostname field in the message is under the full control of the sender. > >> > >> David Lang > >> > >> On Tue, 16 Nov 2021, Scott Slattery via rsyslog wrote: > >> > >>> Date: Tue, 16 Nov 2021 14:56:09 -0700 > >>> From: Scott Slattery via rsyslog <[email protected]> > >>> To: rsyslog-users <[email protected]> > >>> Cc: Scott Slattery <[email protected]> > >>> Subject: [rsyslog] FROMHOST missing on central log collector > >>> > >>> Hello, > >>> > >>> I have a central log server, many of them, using rsyslog to aggregate > >> logs > >>> from remote servers. Everything works great but I have a new challenge > >> and > >>> am hoping for some recommendations. > >>> > >>> I have a number of AWS auto-scaling groups where compute resources are > >>> dynamically scaled up and down. Each of these will have a custom > rsyslog > >>> configuration pulled from the AWS AMI. > >>> > >>> These dynamic resources are not added to DNS due to their dynamic > nature > >> so > >>> they will not have DNS assigned FQDNs. > >>> > >>> Because of the lack of a hostname, my central log server is getting > only > >>> IP. I aggregate based on FROMHOST-FROMHOST-IP. > >>> > >>> So what I'm seeing today looks like '10.38.134.77-10.38.134.77' where I > >>> want to see ause1oagbtst03.mydomain.com-10.41.102.168 > >>> > >>> What I'd want to do is have easy resource send using the same hostname > >> and > >>> current IP. This later will allow me to aggregate all resources by > name. > >>> > >>> I did not see any way of affecting the FROMHOST information unless, on > >> the > >>> collector, I have rules based on IP address which isn't optimal given > the > >>> dynamic nature of the IPs changing. > >>> > >>> Any suggestion is appreciated. > >>> > >>> *Scott Slattery* > >>> > >>> *Sr. Enterprise/Cloud Architect* > >>> > >>> *Cloud, Compute, Information & Architecture Team* > >>> > >>> motorolasolutions.com > >>> > >>> *O: 602.529.8226* > >>> > >>> *E*: [email protected] > >>> > >>> > >> > > > > > -- *For more information on how and why we collect your personal information, please visit our Privacy Policy <https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.* _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
