MonitorWare Knowledge Base

Hi,
I'm currently having an issue on a single server after having changed the DNS name for the host's external IP address. The hostname remains the same, and the IP that the server has has stayed the same. The name showing up in the logs is that of the A record configured for the IP address of the host's Internat facing IP address, which is available via a virtual IP in our load balancers, so I'm really not sure how or why the VIPs DNS name is showing up in the message. I have tried using FROMHOST in place of HOSTNAME, but I get the same result. Any ideas? The client version is 3.16.2. Thanks.

Dan

P.S. Love the software.

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Hi,

I think there is some kind of DNS caching or similar thing involved. Rsyslog does no special magic to get the hostname - it just does the usual (reverse) DNS lookups. So I would assume that there is some issue with the resolver on that system in question.

Sorry I have no better answer...

Rainer

When rsyslog inserts the hostname into a syslog packet, does it do so via a gethostname() call or a reverse DNS lookup on one of its IPs? If the former, shouldn't this be a non-issue running rsyslogd on both client and server?

If it's the latter...well, why?

-HKS

rsyslog uses gethostname() to obtain its own host name. But in case of FROMHOST, it needs the name of the remote end. So there it does a reverse DNS lookup. Remember, the message could be from any host, so we do not know who the remote peer is

That makes sense in the case of FROMHOST. I assume, then, that SOURCE/HOSTNAME just check the hostname field in the syslog packet first, then resort to a reverse DNS lookup if that fails?

-HKS

You gave a good description. There are some subtleties (depending on the message format), but even with them the overall picture is right.

I've changed it back to using HOSTNAME; however, the local logs still indicate an incorrect hostname, as do the remote logs. The debug output doesn't appear to contain any helpful information. Any suggestions?

Dan.

So local logs are reporting the wrong hostname?

What OS is this? If it's a *nix, try running "hostname" at the CLI (with no arguments). Does this differ from what's reported in the logs?

-HKS

PS - can you give quick rundown on the network layout between the client and server?

-HKS

Yes, the local logs are reporting the wrong hostname. The system is running CentOS 4.5 and `hostname` returns the correct hostname.

Dan.

Can you paste in your local rsyslog.conf?

-HKS

Sure.

Code: Select all

$ModLoad imklog.so
$ModLoad imuxsock.so

$template TraditionalFormat,"%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%\n"

$template messages,"/var/log/messages.d/messages_%$YEAR%%$MONTH%%$DAY%.log"
*.info;mail.none;authpriv.none;cron.none                -?messages;TraditionalFormat

$template secure,"/var/log/secure.d/secure_%$YEAR%%$MONTH%%$DAY%.log"
authpriv.*                                              -?secure;TraditionalFormat

$template mail,"/var/log/mail.d/mail_%$YEAR%%$MONTH%%$DAY%.log"
mail.*                                                  -?mail;TraditionalFormat

$template cron,"/var/log/cron.d/cron_%$YEAR%%$MONTH%%$DAY%.log"
cron.*                                                  -?cron;TraditionalFormat

*.emerg                                                 *

$template spooler,"/var/log/spooler.d/spooler_%$YEAR%%$MONTH%%$DAY%.log"
uucp,news.crit                                          -?spooler;TraditionalFormat

$template boot,"/var/log/boot.d/boot_%$YEAR%%$MONTH%%$DAY%.log"
local7.*                                                -?boot;TraditionalFormat


If you have a debug log, it would be interesting to have a look at it. It sometimes contains more information than it looks at first. Also, we could add some new debug line items

The debug output is too long to post in here, due to a 60k character limit. The link below contains the start up of the service in debug, statements of me authenticating to the server, and then shutting down the service. Let me know if there is anything else I can provide. Thanks.

http://dropbox.vmix.com/d/xicCG4nn/rsys ... 080714.log

Thanks for the log. But I forgot to ask one question: which host name do you see and which one did you expect to see?