On Fri, 15 Aug 2014, Mike Hoskins (michoski) wrote:
I thought %FROMHOST% caused a DNS lookup on rsyslog's side, while
%HOSTNAME% just used the hostname sent in the message...others will
correct if my memory is bad. So if %HOSTNAME% is not right, it must be
something on the client side.
If the message is missing a hostname in it, rsyslog will try to create one based
on the IP of the sending system. But if the logs are being sent from rsyslog v5
with the default templates, it should be set correctly when it's sent.
I think you just use %rawmsg% to get the raw message. :-)
http://www.rsyslog.com/doc/property_replacer.html
My most common instruction, log the message with the format RSYSLOG_DebugFormat
it takes multiple lines per message, but shows you the raw message that arrived
at rsyslog, and the contents of all the properties and variables that are set.
David Lang
-----Original Message-----
From: Ivan Lezhnjov IV <[email protected]>
Reply-To: rsyslog-users <[email protected]>
Date: Friday, August 15, 2014 at 11:07 AM
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Template expands to IP address instead of a host
name
Suppose it is true. What fails to perform the DNS resolution then?
rsyslog? How does it do it?
Unfortunately, I do not know what the "rawmessage" is, nor how to look it
up. I'd be happy to provide more information if somebody explained how to
gather it.
Ivan
On Aug 15, 2014, at 5:49 PM, Rainer Gerhards <[email protected]>
wrote:
Could this be a problem with DNS resolution during that timeframe? How
do
the messages themself look like (rawmesage, pls)?
On Fri, Aug 15, 2014 at 2:16 PM, Ivan Lezhnjov IV <
[email protected]> wrote:
A small correction.
The fourth v5 client was affected too:
|-- r
| `-- 2014
| `-- 08
| `-- 14
| `-- syslog.log
It happened at 18:50 like with the rest of hosts, but instead of an IP
address or proper host name %HOSTNAME% was expanded to just "r" for
this
client.
Ivan
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
