MonitorWare Knowledge Base

Hi, let me say thx for help in advance.

I use redhat derived OS's, and want to use yum to update.
Currently all my hosts have rsyslog version 2.0.2 package installed, this is considered latest in yum for my platform.

I want to configure rsyslog to act like the old syslog (which is no longer available in a fully patched redhat server).
For the most part, it does this, but my log files (like /var/log/messages) are missing the hostname. (we have many devices syslogging to central syslog servers)

I'd like to log the hostname logs into /var/log/messages, and not have to worry about the new syntax for rsyslog.conf, basically, use the compatibility mode.

Does anyone know how to do this?

Stats below:


uname -a
Linux mgsahq05.valero.com 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux


/sbin/rsyslogd -v
rsyslogd 2.0.2, compiled with:
FEATURE_PTHREADS (dual-threading): Yes
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: Yes
FEATURE_NETZIP (message compression): Yes
SYSLOG_INET (Internet/remote support): Yes
FEATURE_GSSAPI (GSSAPI Kerberos 5 support): No
FEATURE_DEBUG (debug build, slow code): No
See http://www.rsyslog.com for more information.


cat /etc/sysconfig/rsyslog
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and "other".



cat /etc/rsyslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
* -/var/log/messages
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

This looks like a problem with the senders. Please do a search for FROMHOST on the forum, this should bring up relevant results. If not, let me know.

rgerhards wrote:This looks like a problem with the senders. Please do a search for FROMHOST on the forum, this should bring up relevant results. If not, let me know.

Thanks rgerhards, appreciate quick reply.

packet captures show that the syslog client indeed aren't sending the hostname in the syslog packets...

however, our servers that have the old syslogd look up the hostnames, and include it in the log files

I'd like to get rsyslogd (functional equivalent of syslogd) to look up the hostname and record it in /var/log/messages

i've had experience with syslog-ng and syslog, and forgive me, but I'd like to not learn a new syntax for this;
thus, i'd like to use the compatibility mode, with the old version (syslogd's /etc/syslog.conf) syntax and behavior, in /etc/rsyslog.conf, etc

dermoultam wrote:i've had experience with syslog-ng and syslog, and forgive me, but I'd like to not learn a new syntax for this;
thus, i'd like to use the compatibility mode, with the old version (syslogd's /etc/syslog.conf) syntax and behavior, in /etc/rsyslog.conf, etc

rsyslog is a drop in replacement if the components work correctly. If the senders are malformed, there is no way rsyslog can handle that situation except by using a different template. sysklogd does not use any syslog message fields at all. Its a trade-off if we emulate that to, but the decision was not to do it - especially as this can be done with a simple config change.

rgerhards wrote:

dermoultam wrote:i've had experience with syslog-ng and syslog, and forgive me, but I'd like to not learn a new syntax for this;
thus, i'd like to use the compatibility mode, with the old version (syslogd's /etc/syslog.conf) syntax and behavior, in /etc/rsyslog.conf, etc

rsyslog is a drop in replacement if the components work correctly. If the senders are malformed, there is no way rsyslog can handle that situation except by using a different template. sysklogd does not use any syslog message fields at all. Its a trade-off if we emulate that to, but the decision was not to do it - especially as this can be done with a simple config change.

Then I think it's time I hunkered down and learned the rsyslog way of doing it...

Thanks