MonitorWare Knowledge Base

Hello

I've installed rsyslog and replaced syslog-ng.
/var/log/messages shows me lines like:

Code: Select all

2008-10-07T12:42:09.450917+02:00 localhost xinetd[4220]: START: nrpe pid=25507 from=192.168.10.18

This is okay. But I am using centralized rsyslog logging and phpLogCon. The problem is that "Host" is always "localhost".
Instead I'd like to see the hostname. How can I do that?

I tried it with the property replacement rule: %hostname:localhost:$myhostname:lowercase%
But this just outputs the error log:

Code: Select all

2008-10-07T12:15:50.032657+02:00 localhost rsyslogd: [origin software="rsyslogd" swVersion="3.18.4" x-pid="25224" x-info="http://www.rsyslog.com"] restart
2008-10-07T12:15:50.032927+02:00 localhost rsyslogd: unknown priority name ""
2008-10-07T12:15:50.033402+02:00 localhost rsyslogd: the last error occured in /etc/rsyslog.conf, line 6
2008-10-07T12:15:50.033668+02:00 localhost rsyslogd: warning: selector line without actions will be discarded


Thank you

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Could you please post your rsyslog.conf.

Thanks,
Rainer

yes, of course. here we go:

Code: Select all

# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.

# Logging to mysql database
$ModLoad ommysql
*.*       :ommysql:192.168.10.13,rsyslog,rsyslog,rbCAheQTvxne2N8Y

$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # kernel logging (formerly provided by rklogd)

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                -/var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  -/var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          -/var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /rsyslog/spool # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinety retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host


# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
$ModLoad imtcp.so  # load module
$InputTCPServerRun 514
$InputTCPMaxSessions 100
# Note: as of now, you need to use the -t command line option to
# enable TCP reception (e.g. -t514 to run a server at port 514/tcp)
# This will change in later v3 releases.

# UDP Syslog Server:
#$ModLoad imudp.so  # provides UDP syslog reception
#$UDPServerRun 514 # start a UDP syslog server at standard port 514


Mhh... so the messages are actually from localhost?

I connected ca 7 different hosts to this rsyslog "server". When I watch the log messages with phplogcon it shows me logs from client rsyslog server. This works. But it always displays "localhost"... event if it's not from there...

But attention. I saw that localhost is written down in every log on the clients... instead of the hostname :S
Maybe it's an OS config fault?

oh, sorry, I overlooked the tcp receiver. This looks like an issue with the client configuration, I guess each one is configured to be called "localhost" without a domain. However, it would be smart if rsyslog provided an indication of the actual host in this case...

Rainer

so I have to put every client into a domain?
is there no way that the hostname is showed instead of the "localhost" string?

the hostname on the client is configured to "localhost". Or the DNS lookup returns localhost for each of these clients. So the quick fix is to correct the hostname on the clients.

I am using rsyslog this way:

________________________ ________________________ ________ _______
|server with rsyslog(C)|------------------>|server with rsyslog(S)|-------------->|mysqld|<------|webif|
°°°°°°°°°°°°°°°°°°°°°°°° °°°°°°°°°°°°°°°°°°°°°°°° °°°°°°°° °°°°°°°

Now on webif it shows localhost, doesn't matter from what "server with rsyslog(C)" the message is originally from. This design is correct?

Ah I found out, that this problem exists since I am using rsyslog: cat /var/log/messages:

Code: Select all

Oct  6 13:40:01 vappserv1_5 cron[4989]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
Oct  6 13:44:11 vappserv1_5 syslog-ng[3329]: Termination requested via signal, terminating;
Oct  6 13:44:11 vappserv1_5 syslog-ng[3329]: syslog-ng shutting down; version='2.0.9'
2008-10-06T13:44:32.608502+02:00 localhost kernel: imklog 3.18.4, log source = /proc/kmsg started.
2008-10-06T13:44:32.608632+02:00 localhost rsyslogd: [origin software="rsyslogd" swVersion="3.18.4" x-pid="5460" x-info="http://www.rsyslog.com"] restart

rsyslog parses the message correctly according to the relevant RFCs, syslog-ng simply uses the last sender. You can use the last sender by switching to the %FROMHOST% property. However, the root cause is that each remote system is configured with the name of "localhost" instead of a real hostname. rsyslog queries the system and asks what its name is. The name the system reports is put into the syslog message headers. The receiving rsyslogd parses the headers and thus get the name that the remote systmes' gethostname() reported. I hope this clarifies.

Yes I had a malformed /etc/hosts config. This is really strange, everything works else... also apache and such, which use this config file. I've added a domain name and now it works. perfect. ty!

they all don't care about their hostname. You will see problems, though, with mail transfer agents. If these system talk to the outside world, messages passing through them are much more likely to be treated as spam than those from correctly configured systems. Other protocols may have similar issues...