MonitorWare Knowledge Base

Hello,

I have a FreeBSD system which runs Rsyslog. It logs to a remote PostgreSQL database. I use the FreeBSD system as a syslog server. there are a group of RHEL,FreeBSD and Solaris hosts which write to the FreeBSD Rsyslog server.

However when I see the contents of the database using phplogcon, I see that the hostname for all the entries are my syslog server hostname and not the hostnames of the remote clients which are generating the log. I am posting my contents of my rsyslog.conf here.

Code: Select all

# Rsyslog Configuration file

$ModLoad ompgsql # PostgreSQL support
$ModLoad imudp # Listen for UDP
$ModLoad imtcp # Listen for TCP

# Global settings

$WorkDirectory /var/rsyslog/spool

$InputTCPServerRun 514
$UDPServerRun 514

# Some queues
$ActionQueueType Linkedlist
$ActionQueueFileName dbq #This is the queue which goes to the DB
$ActionResumeRetryCount -1

# And write to the database
*.* :ompgsql:10.10.10.1,Syslog,logger,loggerpa$$w0rd;



Where am I going wrong?

Thanks
Subhro

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

The reason is that rsyslog parses messages according to rfc3164/3195, whereas a number of senders (sysklogd being an example) do not emit the format specified in 3195. The hostname is simply missing. You can populate the hostnames by %FROMHOST%, which is the property that has the last host that sent to rsyslog (in non-relay cases, this is the original hostname). To do so, you need to dig into the template docs, then define a specific template for these senders and finally define filters so that for these senders the different template is being used.

HTH
Rainer