Mailing List Archive: Where does HOSTNAME come from?

Where does HOSTNAME come from?

Oct 7, 2020, 4:33 PM

Post #1 of 4 (415 views)

I am trying to get several Cisco swtches to log remotely to rsyslog.
The logging works fine but rsyslog insists the hostname is the source IP
address. I had the network guy set the device-id to the name of the
switch but rsyslogs still thinks HOSTNAME is the IP address.

The specific configuration is:

template (name="NwDevLog" type="string"
string="/var/log/network/%HOSTNAME%/messages.log")

if $syslogfacility-text == 'local5' then ?NwDevLog
if $syslogfacility-text == 'local5' then stop

I finally "fixed" it by adding the IP and host name to /etc/hosts on the
syslogger but that seem like a workaround.

Where does rsyslog get the hostname from?

--
Do not become so fixated on the cheese at the end of the maze that you
forget the real goal is to escape from the lab.

Stephen
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: Where does HOSTNAME come from? [ In reply to ]

rsyslog at lists

Oct 7, 2020, 5:02 PM

Post #2 of 4 (415 views)

Permalink

when you have a question about what's set, log things with the template
RSYSLOG_DebugFormat

rsyslog looks for the hostname in the message per the RFC formats, but if it
cannot find one, it fills it in based on the source of the message (fromhost or
fromhost-ip)

I'd bet that if you look at the rawmsg that's output by the debug format, you
will see that it's not a proper syslog message.

David Lang

On Wed, 7 Oct 2020, Stephen via
rsyslog wrote:

> Date: Wed, 7 Oct 2020 16:33:52 -0700
> From: Stephen via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: rsyslog@heronforge.net
> Subject: [rsyslog] Where does HOSTNAME come from?
>
> I am trying to get several Cisco swtches to log remotely to rsyslog. The
> logging works fine but rsyslog insists the hostname is the source IP address.
> I had the network guy set the device-id to the name of the switch but
> rsyslogs still thinks HOSTNAME is the IP address.
>
> The specific configuration is:
>
> template (name="NwDevLog" type="string"
> string="/var/log/network/%HOSTNAME%/messages.log")
>
> if $syslogfacility-text == 'local5' then ?NwDevLog
> if $syslogfacility-text == 'local5' then stop
>
> I finally "fixed" it by adding the IP and host name to /etc/hosts on the
> syslogger but that seem like a workaround.
>
> Where does rsyslog get the hostname from?
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: Where does HOSTNAME come from? [ In reply to ]

rsyslog at lists

Oct 8, 2020, 9:06 AM

Post #3 of 4 (415 views)

Permalink

OK, I can do that.

Is it possible to only change the format on one log file? The only way
I can find is to change the default format and I'd refer to not have all
the logs be in debug format even for a short time. IE:

$ActionFileDefaultTemplate RSYSLOG_DebugFormat

On 10/7/20 5:02 PM, David Lang wrote:
> when you have a question about what's set, log things with the template
> RSYSLOG_DebugFormat
>
> rsyslog looks for the hostname in the message per the RFC formats, but
> if it cannot find one, it fills it in based on the source of the message
> (fromhost or fromhost-ip)
>
> I'd bet that if you look at the rawmsg that's output by the debug
> format, you will see that it's not a proper syslog message.
>
> David Lang
>
> On Wed, 7 Oct 2020, Stephen via rsyslog wrote:
>
>> Date: Wed, 7 Oct 2020 16:33:52 -0700
>> From: Stephen via rsyslog <rsyslog@lists.adiscon.com>
>> To: rsyslog@lists.adiscon.com
>> Cc: rsyslog@heronforge.net
>> Subject: [rsyslog] Where does HOSTNAME come from?
>>
>> I am trying to get several Cisco swtches to log remotely to rsyslog.
>> The logging works fine but rsyslog insists the hostname is the source
>> IP address. I had the network guy set the device-id to the name of the
>> switch but rsyslogs still thinks HOSTNAME is the IP address.
>>
>> The specific configuration is:
>>
>> template (name="NwDevLog" type="string"
>> string="/var/log/network/%HOSTNAME%/messages.log")
>>
>> if $syslogfacility-text == 'local5' then ?NwDevLog
>> if $syslogfacility-text == 'local5' then stop
>>
>> I finally "fixed" it by adding the IP and host name to /etc/hosts on
>> the syslogger but that seem like a workaround.
>>
>> Where does rsyslog get the hostname from?
>>
>>
>
>

--
Do not become so fixated on the cheese at the end of the maze that you
forget the real goal is to escape from the lab.

Stephen
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: Where does HOSTNAME come from? [ In reply to ]

rsyslog at lists

Oct 8, 2020, 9:36 AM

Post #4 of 4 (415 views)

Permalink

the template is used while writin a file, your problem seems to be while parsing
the file

but you can change what template you use while writing a file

with the old format you would do filename;template (or
?dynatemplate;linetemplate) with the new action() format, add a template option.

David Lang

On Thu, 8 Oct 2020, rsyslog@heronforge.net wrote:

> Date: Thu, 8 Oct 2020 09:06:22 -0700
> From: rsyslog@heronforge.net
> To: Stephen via rsyslog <rsyslog@lists.adiscon.com>
> Cc: David Lang <david@lang.hm>
> Subject: Re: [rsyslog] Where does HOSTNAME come from?
>
> OK, I can do that.
>
> Is it possible to only change the format on one log file? The only way I can
> find is to change the default format and I'd refer to not have all the logs
> be in debug format even for a short time. IE:
>
> $ActionFileDefaultTemplate RSYSLOG_DebugFormat
>
> On 10/7/20 5:02 PM, David Lang wrote:
>> when you have a question about what's set, log things with the template
>> RSYSLOG_DebugFormat
>>
>> rsyslog looks for the hostname in the message per the RFC formats, but if
>> it cannot find one, it fills it in based on the source of the message
>> (fromhost or fromhost-ip)
>>
>> I'd bet that if you look at the rawmsg that's output by the debug format,
>> you will see that it's not a proper syslog message.
>>
>> David Lang
>>
>> On Wed, 7 Oct 2020, Stephen via rsyslog wrote:
>>
>>> Date: Wed, 7 Oct 2020 16:33:52 -0700
>>> From: Stephen via rsyslog <rsyslog@lists.adiscon.com>
>>> To: rsyslog@lists.adiscon.com
>>> Cc: rsyslog@heronforge.net
>>> Subject: [rsyslog] Where does HOSTNAME come from?
>>>
>>> I am trying to get several Cisco swtches to log remotely to rsyslog. The
>>> logging works fine but rsyslog insists the hostname is the source IP
>>> address. I had the network guy set the device-id to the name of the switch
>>> but rsyslogs still thinks HOSTNAME is the IP address.
>>>
>>> The specific configuration is:
>>>
>>> template (name="NwDevLog" type="string"
>>> string="/var/log/network/%HOSTNAME%/messages.log")
>>>
>>> if $syslogfacility-text == 'local5' then ?NwDevLog
>>> if $syslogfacility-text == 'local5' then stop
>>>
>>> I finally "fixed" it by adding the IP and host name to /etc/hosts on the
>>> syslogger but that seem like a workaround.
>>>
>>> Where does rsyslog get the hostname from?
>>>
>>>
>>
>>
>
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.