simple explanation: the colon cannot be part of a hostname (RFC restriction). So rsyslog know that "CES:" is not a hostname and the heuristic of the default parser so dos not assign one. In contrary. "CES" is a perfect hostname and so it is used as such.
HTH Rainer 2018-07-20 10:50 GMT+02:00 Stephan Seitz <[email protected]>: > Hi! > > I have a rsyslog server with version 8.36.0. > > After I updated some FTOS switches the log messages are different from those > with the older version. > > This is an example from a switch with the older version: > Jul 19 14:46:57 jurswm22221.juris.de CES: jurswm22221: %STKUNIT0-M:CP > %SSH-6-CONNECTION: Disconnected from 10.223.0.100 > Jul 19 14:46:58 jurswm22221.juris.de CES: jurswm22221: %STKUNIT0-M:CP > %SEC-5-LOGOUT: Exec session is terminated for user jurswadmin on line vty0 ( > 10.223.0.100 ) (Reason : User Request) > > After the timestamp you have the hostname then the log message starting with > CES:. > > This is an example from a swith with the new FTOS version: > Jul 19 15:40:38 CES jurswm14221 %STKUNIT0-M:CP %SSH-6-CONNECTION: > Disconnected from 10.223.0.100 > Jul 19 15:40:38 CES jurswm14221 %STKUNIT0-M:CP %SEC-5-LOGOUT: Exec session > is terminated for user jurswadmin on line vty0 ( 10.223.0.100 ) (Reason : > User Request) > > Interestingly here the hostname is missing after the timestamp. It starts > with the log message (CES) which doesn’t have the „:” after CES and the > hostname. > > I made a capture file and noticed that the syslog messages are identical > besides from the source IP in the UDP part, the timestamps, and the message > starting with CES. > > So the complete hostname that is written for switches with the older FTOS > version is probably inserted by rsyslog. But why isn’t it the case with the > newer versions? The reverse DNS is working. > > Shade and sweet water! > > Stephan > > -- > | Public Keys: http://fsing.rootsland.net/~stse/keys.html | > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
