Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RSyslog>
  3. users
Rsyslog working
rsyslog at lists
Nov 11, 2020, 7:37 AM
Post #1 of 4 (505 views)
Permalink
Hi Everyone,

I have few queries regarding rsyslog functioning. I am using rsyslog
service to collect the logs. For separating the logs coming from different
sources, I am creating the files as per the source IP address, and using
the 'hostname' property for the same. In some cases the "hostname"
property is getting resolved to the 'IP address', but in other cases it
shows as "local host".
However, 'fromHost' value is getting resolved to the IP address.

Would you please enlighten me why it is happening? How does the 'rsyslog'
determine its value, is it by reading the header or payload of the
message?. Kindly also help me to understand the exact and
detailed difference of below 4 properties and which one should be used
where?

*hostname*
*source*
*fromhost*
*fromhost-ip*

I really appreciate your help!

Thanks,
Prashant
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog working [ In reply to ]
rsyslog at lists
Nov 11, 2020, 7:42 AM
Post #2 of 4 (505 views)
Permalink
Hi,

this info is read from the header (RFC3164 or 5424 depending on format).

You may be more interested in fromhost-ip property (but that's the
last hop in a relay scenario).

HTH
Rainer

El mié., 11 nov. 2020 a las 16:38, Psquare via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Hi Everyone,
>
> I have few queries regarding rsyslog functioning. I am using rsyslog
> service to collect the logs. For separating the logs coming from different
> sources, I am creating the files as per the source IP address, and using
> the 'hostname' property for the same. In some cases the "hostname"
> property is getting resolved to the 'IP address', but in other cases it
> shows as "local host".
> However, 'fromHost' value is getting resolved to the IP address.
>
> Would you please enlighten me why it is happening? How does the 'rsyslog'
> determine its value, is it by reading the header or payload of the
> message?. Kindly also help me to understand the exact and
> detailed difference of below 4 properties and which one should be used
> where?
>
> *hostname*
> *source*
> *fromhost*
> *fromhost-ip*
>
> I really appreciate your help!
>
> Thanks,
> Prashant
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog working [ In reply to ]
rsyslog at lists
Nov 11, 2020, 9:24 AM
Post #3 of 4 (505 views)
Permalink
Thanks for the prompt response.

If the info is read from the header which always has an IP address , the
'hostname' property should always show the IP address, but in my case it is
showing 'localhost. Why is it happening?

Please also provide more info about other fields, how they get mapped to
value?

Thanks,
Prashant

On Wed, Nov 11, 2020 at 9:12 PM Rainer Gerhards <rgerhards@hq.adiscon.com>
wrote:

> Hi,
>
> this info is read from the header (RFC3164 or 5424 depending on format).
>
> You may be more interested in fromhost-ip property (but that's the
> last hop in a relay scenario).
>
> HTH
> Rainer
>
> El mié., 11 nov. 2020 a las 16:38, Psquare via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > Hi Everyone,
> >
> > I have few queries regarding rsyslog functioning. I am using rsyslog
> > service to collect the logs. For separating the logs coming from
> different
> > sources, I am creating the files as per the source IP address, and using
> > the 'hostname' property for the same. In some cases the "hostname"
> > property is getting resolved to the 'IP address', but in other cases it
> > shows as "local host".
> > However, 'fromHost' value is getting resolved to the IP address.
> >
> > Would you please enlighten me why it is happening? How does the 'rsyslog'
> > determine its value, is it by reading the header or payload of the
> > message?. Kindly also help me to understand the exact and
> > detailed difference of below 4 properties and which one should be used
> > where?
> >
> > *hostname*
> > *source*
> > *fromhost*
> > *fromhost-ip*
> >
> > I really appreciate your help!
> >
> > Thanks,
> > Prashant
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog working [ In reply to ]
rsyslog at lists
Nov 11, 2020, 3:13 PM
Post #4 of 4 (502 views)
Permalink
log the message with the template RSYSLOG_DebugFormat

I'd bet that the header for the messages does not have the IP address there, it
may be missing entirely, which has rsyslog using fromhost instead, and you may
have a /etc/hosts entry that maps that IP to localhost.

but we can't really figure out what's happening until we can see the rawmsg
that's triggering the behavior you are seeing.

David Lang

On Wed, 11 Nov 2020,
Psquare via rsyslog wrote:

> Date: Wed, 11 Nov 2020 22:54:39 +0530
> From: Psquare via rsyslog <rsyslog@lists.adiscon.com>
> To: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Cc: Psquare <pacific.rpsquare@gmail.com>,
> rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Rsyslog working
>
> Thanks for the prompt response.
>
> If the info is read from the header which always has an IP address , the
> 'hostname' property should always show the IP address, but in my case it is
> showing 'localhost. Why is it happening?
>
> Please also provide more info about other fields, how they get mapped to
> value?
>
> Thanks,
> Prashant
>
> On Wed, Nov 11, 2020 at 9:12 PM Rainer Gerhards <rgerhards@hq.adiscon.com>
> wrote:
>
>> Hi,
>>
>> this info is read from the header (RFC3164 or 5424 depending on format).
>>
>> You may be more interested in fromhost-ip property (but that's the
>> last hop in a relay scenario).
>>
>> HTH
>> Rainer
>>
>> El mié., 11 nov. 2020 a las 16:38, Psquare via rsyslog
>> (<rsyslog@lists.adiscon.com>) escribió:
>> >
>> > Hi Everyone,
>> >
>> > I have few queries regarding rsyslog functioning. I am using rsyslog
>> > service to collect the logs. For separating the logs coming from
>> different
>> > sources, I am creating the files as per the source IP address, and using
>> > the 'hostname' property for the same. In some cases the "hostname"
>> > property is getting resolved to the 'IP address', but in other cases it
>> > shows as "local host".
>> > However, 'fromHost' value is getting resolved to the IP address.
>> >
>> > Would you please enlighten me why it is happening? How does the 'rsyslog'
>> > determine its value, is it by reading the header or payload of the
>> > message?. Kindly also help me to understand the exact and
>> > detailed difference of below 4 properties and which one should be used
>> > where?
>> >
>> > *hostname*
>> > *source*
>> > *fromhost*
>> > *fromhost-ip*
>> >
>> > I really appreciate your help!
>> >
>> > Thanks,
>> > Prashant
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal