Mailing List Archive

Re: rsyslog Digest, Vol 172, Issue 1
unsubscribe

On Thu, Oct 7, 2021 at 8:17 PM <rsyslog-request@lists.adiscon.com> wrote:

> Send rsyslog mailing list submissions to
> rsyslog@lists.adiscon.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> or, via email, send a message with subject or body 'help' to
> rsyslog-request@lists.adiscon.com
>
> You can reach the person managing the list at
> rsyslog-owner@lists.adiscon.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of rsyslog digest..."
>
>
> Today's Topics:
>
> 1. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (David Lang)
> 2. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (Mariusz Kruk)
> 3. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (David Lang)
> 4. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (rajeshksv)
> 5. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (Rainer Gerhards)
> 6. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (Mariusz Kruk)
> 7. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (Mariusz Kruk)
> 8. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (Rainer Gerhards)
> 9. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (Mariusz Kruk)
> 10. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (Rainer Gerhards)
> 11. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (Mariusz Kruk)
> 12. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (David Lang)
> 13. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (David Lang)
> 14. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (Rainer Gerhards)
> 15. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (Rainer Gerhards)
> 16. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (Rainer Gerhards)
> 17. Create Cry key (rking@abbyking.co.uk)
> 18. Re: Create Cry key (Mariusz Kruk)
> 19. Re: Message modification in DIRECT Queues have different
> semantics when using with rulesets vs actions (Rainer Gerhards)
> 20. rscryutil not always able to decrypt log (rking@abbyking.co.uk)
> 21. could not load module 'imklog' (Andrea Monaco)
> 22. Missing PATH_MAX and MAXPATHLEN on GNU/Hurd (Andrea Monaco)
> 23. Re: Missing PATH_MAX and MAXPATHLEN on GNU/Hurd (Rainer Gerhards)
> 24. Re: Missing PATH_MAX and MAXPATHLEN on GNU/Hurd (Andrea Monaco)
> 25. Re: Missing PATH_MAX and MAXPATHLEN on GNU/Hurd (Rainer Gerhards)
> 26. Disable user Login messages (silver-spirit@gmx.de)
> 27. Re: Missing PATH_MAX and MAXPATHLEN on GNU/Hurd (Andrea Monaco)
> 28. UNSUSCRIBE (Saint Michael)
> 29. RSyslog thinks my machine's hostname is "127.0.0.1"?
> (Derek Atkins)
> 30. Re: RSyslog thinks my machine's hostname is "127.0.0.1"?
> (Derek Atkins)
> 31. Re: RSyslog thinks my machine's hostname is "127.0.0.1"?
> (David Lang)
> 32. Re: RSyslog thinks my machine's hostname is "127.0.0.1"?
> (Derek Atkins)
> 33. Re: RSyslog thinks my machine's hostname is "127.0.0.1"?
> (Derek Atkins)
> 34. [SOLVED] Re: RSyslog thinks my machine's hostname is
> "127.0.0.1"? (Derek Atkins)
> 35. Re: [SOLVED] Re: RSyslog thinks my machine's hostname is
> "127.0.0.1"? (David Lang)
> 36. Re: [SOLVED] Re: RSyslog thinks my machine's hostname is
> "127.0.0.1"? (Derek Atkins)
> 37. Re: [SOLVED] Re: RSyslog thinks my machine's hostname is
> "127.0.0.1"? (David Lang)
> 38. Re: [SOLVED] Re: RSyslog thinks my machine's hostname is
> "127.0.0.1"? (Derek Atkins)
> 39. Re: [SOLVED] Re: RSyslog thinks my machine's hostname is
> "127.0.0.1"? (David Lang)
> 40. Re: [SOLVED] Re: RSyslog thinks my machine's hostname is
> "127.0.0.1"? (David Lang)
> 41. Re: [SOLVED] Re: RSyslog thinks my machine's hostname is
> "127.0.0.1"? (Derek Atkins)
> 42. Re: [SOLVED] Re: RSyslog thinks my machine's hostname is
> "127.0.0.1"? (Rainer Gerhards)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 16 Sep 2021 11:54:54 -0700 (PDT)
> From: David Lang <david@lang.hm>
> To: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID: <nycvar.QRO.7.76.6.2109161153180.8265@qynat-yncgbc>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> There is no reason you can't call mmnormalize multiple times, you can
> specify
> where to put the results (by default, they go under $!)
>
> I'm not really sure what a direct queue on a ruleset means, you should
> just call
> the ruleset without it having any queue on it.
>
> David Lang
>
> On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
>
> > I believe it's not about queue, but about mmnormalize. I haven't used
> > mmnormalize much myself but from the docs I understand that mmnormalize
> > should only be called once on a message and is supposed to parse the
> message
> > into a set of "global" properties.
> >
> >
> > On 16.09.2021 15:21, rajeshksv via rsyslog wrote:
> >> Hi Rsyslog Users,
> >>
> >> I am trying to understand how queues work in Rsyslog. In case of
> non-direct
> >> queues, message is copied and placed in the queue and message
> modifications
> >> done by queue workers won't have any impact on the original message.
> Makes
> >> sense here.
> >>
> >> However, I am a little confused when it comes to direct Queue. What
> >> happens in Direct Queue ? Will the message be copied or is it the same
> >> message ? I tested out two scenarios (wrt rulesets and actions) and
> both
> >> of them gave different results.
> >>
> >> When ruleset is backed by a direct Queue, message modifications done in
> >> ruleset don't reflect back in original flow where as in case of actions
> >> (such mmnormalize, mmkubernetes) which are by default backed by direct
> >> Queue, message modifications done with action reflects in original flow
> >>
> >> Scenario 1:
> >>
> >> template(name="abc" type="string" string="%$!var1% %$.var2% %msg%")
> >>
> >> ruleset(name="relay.htp1" queue.type="Direct") {
> >> call rs1
> >> * // $!var1, $.var2 aren't available here*
> >> action(type="omfile" file="/tmp/output.log" template="abc")
> >> call relay.htp
> >> }
> >>
> >> ruleset(name="rs1" queue.type="Direct"){
> >> set $!var1 = "hello";
> >> set $.var2 = "bye";
> >> }
> >>
> >> input(type="imfile"
> >> File="/tmp/input.log"
> >> Ruleset="relay.htp1"
> >> Tag="tag")
> >>
> >>
> >> Scenario 2:
> >>
> >> module(load = "mmnormalize")
> >> ruleset(name = "relay.htp1" queue.type="Direct") {
> >> action(type = "mmnormalize"
> ruleBase="/etc/rsyslog.d/service.rulebase"
> >> path="$!msg")
> >> * // $!msg will be available here even though action is backed by a
> >> default Queue. *
> >> }
> >>
> >> input(type="imfile"
> >> File="/tmp/input.log"
> >> Ruleset="relay.htp1"
> >> Tag="tag")
> >>
> >>
> >> How come $!var1, $.var2 aren't available in scenario1 whereas $!msg is
> >> available when both are using Direct Queue. Am I missing something here
> ?
> >>
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T
> > LIKE THAT.
> >
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 16 Sep 2021 20:58:37 +0200
> From: Mariusz Kruk <kruk@epsilon.eu.org>
> To: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID: <84cd9b24-f831-e4bb-63a6-40203baed3a1@epsilon.eu.org>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
>
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/mmnormalize.html
>
> "Note that mmnormalize should only be called once on each message.
> Behaviour is undefined if multiple calls to mmnormalize happen for the
> same message."
>
> From my tests it turns out that even with direct queue the message gets
> copied when entering a separate queue and thus the results are not
> inherited on the ruleset (and queue) exit.
>
> So it seems to be the mmnormalize that's causing the OP's variable to be
> retained after the ruleset exit.
>
> On 16.09.2021 20:54, David Lang wrote:
> > There is no reason you can't call mmnormalize multiple times, you can
> > specify where to put the results (by default, they go under $!)
> >
> > I'm not really sure what a direct queue on a ruleset means, you should
> > just call the ruleset without it having any queue on it.
> >
> > David Lang
> >
> > On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
> >
> >> I believe it's not about queue, but about mmnormalize. I haven't used
> >> mmnormalize much myself but from the docs I understand that
> >> mmnormalize should only be called once on a message and is supposed
> >> to parse the message into a set of "global" properties.
> >>
> >>
> >> On 16.09.2021 15:21, rajeshksv via rsyslog wrote:
> >>> Hi Rsyslog Users,
> >>>
> >>> I am trying to understand how queues work in Rsyslog. In case of
> >>> non-direct
> >>> queues, message is copied and placed in the queue and message
> >>> modifications
> >>> done by queue workers won't have any impact on the original message.
> >>> Makes
> >>> sense here.
> >>>
> >>> However, I am a little confused when it comes to direct Queue.? What
> >>> happens in Direct Queue ? Will the message be copied or is it the same
> >>> message ? I tested out two scenarios (wrt rulesets and actions)? and
> >>> both
> >>> of them gave different results.
> >>>
> >>> When ruleset is backed by a direct Queue, message modifications done in
> >>> ruleset don't reflect back in original flow where as in case of actions
> >>> (such mmnormalize, mmkubernetes) which are by default backed by direct
> >>> Queue, message modifications done with action reflects in original flow
> >>>
> >>> Scenario 1:
> >>>
> >>> template(name="abc" type="string" string="%$!var1% %$.var2% %msg%")
> >>>
> >>> ruleset(name="relay.htp1" queue.type="Direct") {
> >>> ????? call rs1
> >>> ??? * // $!var1, $.var2 aren't available here*
> >>> ????? action(type="omfile" file="/tmp/output.log" template="abc")
> >>> ????? call relay.htp
> >>> }
> >>>
> >>> ruleset(name="rs1" queue.type="Direct"){
> >>> ???? set $!var1 = "hello";
> >>> ???? set $.var2 = "bye";
> >>> }
> >>>
> >>> input(type="imfile"
> >>> ??????? File="/tmp/input.log"
> >>> ??????? Ruleset="relay.htp1"
> >>> ??????? Tag="tag")
> >>>
> >>>
> >>> Scenario 2:
> >>>
> >>> module(load = "mmnormalize")
> >>> ruleset(name = "relay.htp1"? queue.type="Direct") {
> >>> ??? action(type = "mmnormalize"
> >>> ruleBase="/etc/rsyslog.d/service.rulebase"
> >>> path="$!msg")
> >>> ?? * // $!msg will be available here even though action is backed by a
> >>> default Queue. *
> >>> }
> >>>
> >>> input(type="imfile"
> >>> ??????? File="/tmp/input.log"
> >>> ??????? Ruleset="relay.htp1"
> >>> ??????? Tag="tag")
> >>>
> >>>
> >>> How come $!var1, $.var2 aren't available in scenario1 whereas $!msg is
> >>> available when both are using Direct Queue. Am I missing something
> >>> here ?
> >>>
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >> POST if you DON'T LIKE THAT.
> >>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 16 Sep 2021 12:26:00 -0700 (PDT)
> From: David Lang <david@lang.hm>
> To: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID: <nycvar.QRO.7.76.6.2109161224270.8265@qynat-yncgbc>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
>
> >
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/mmnormalize.html
> >
> > "Note that mmnormalize should only be called once on each message.
> > Behaviour is undefined if multiple calls to mmnormalize happen for the
> > same message."
>
> I called that out and it should have been removed from current
> documentation.
>
> > From my tests it turns out that even with direct queue the message gets
> > copied when entering a separate queue and thus the results are not
> > inherited on the ruleset (and queue) exit.
> >
> > So it seems to be the mmnormalize that's causing the OP's variable to be
> > retained after the ruleset exit.
>
> but if you don't specify any queue at all, then things inside a ruleset
> will
> affect things outside the ruleset.
>
> David Lang
>
> > On 16.09.2021 20:54, David Lang wrote:
> >> There is no reason you can't call mmnormalize multiple times, you can
> >> specify where to put the results (by default, they go under $!)
> >>
> >> I'm not really sure what a direct queue on a ruleset means, you should
> >> just call the ruleset without it having any queue on it.
> >>
> >> David Lang
> >>
> >> On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
> >>
> >>> I believe it's not about queue, but about mmnormalize. I haven't used
> >>> mmnormalize much myself but from the docs I understand that
> >>> mmnormalize should only be called once on a message and is supposed
> >>> to parse the message into a set of "global" properties.
> >>>
> >>>
> >>> On 16.09.2021 15:21, rajeshksv via rsyslog wrote:
> >>>> Hi Rsyslog Users,
> >>>>
> >>>> I am trying to understand how queues work in Rsyslog. In case of
> >>>> non-direct
> >>>> queues, message is copied and placed in the queue and message
> >>>> modifications
> >>>> done by queue workers won't have any impact on the original message.
> >>>> Makes
> >>>> sense here.
> >>>>
> >>>> However, I am a little confused when it comes to direct Queue.? What
> >>>> happens in Direct Queue ? Will the message be copied or is it the same
> >>>> message ? I tested out two scenarios (wrt rulesets and actions)? and
> >>>> both
> >>>> of them gave different results.
> >>>>
> >>>> When ruleset is backed by a direct Queue, message modifications done
> in
> >>>> ruleset don't reflect back in original flow where as in case of
> actions
> >>>> (such mmnormalize, mmkubernetes) which are by default backed by direct
> >>>> Queue, message modifications done with action reflects in original
> flow
> >>>>
> >>>> Scenario 1:
> >>>>
> >>>> template(name="abc" type="string" string="%$!var1% %$.var2% %msg%")
> >>>>
> >>>> ruleset(name="relay.htp1" queue.type="Direct") {
> >>>> ????? call rs1
> >>>> ??? * // $!var1, $.var2 aren't available here*
> >>>> ????? action(type="omfile" file="/tmp/output.log" template="abc")
> >>>> ????? call relay.htp
> >>>> }
> >>>>
> >>>> ruleset(name="rs1" queue.type="Direct"){
> >>>> ???? set $!var1 = "hello";
> >>>> ???? set $.var2 = "bye";
> >>>> }
> >>>>
> >>>> input(type="imfile"
> >>>> ??????? File="/tmp/input.log"
> >>>> ??????? Ruleset="relay.htp1"
> >>>> ??????? Tag="tag")
> >>>>
> >>>>
> >>>> Scenario 2:
> >>>>
> >>>> module(load = "mmnormalize")
> >>>> ruleset(name = "relay.htp1"? queue.type="Direct") {
> >>>> ??? action(type = "mmnormalize"
> >>>> ruleBase="/etc/rsyslog.d/service.rulebase"
> >>>> path="$!msg")
> >>>> ?? * // $!msg will be available here even though action is backed by a
> >>>> default Queue. *
> >>>> }
> >>>>
> >>>> input(type="imfile"
> >>>> ??????? File="/tmp/input.log"
> >>>> ??????? Ruleset="relay.htp1"
> >>>> ??????? Tag="tag")
> >>>>
> >>>>
> >>>> How come $!var1, $.var2 aren't available in scenario1 whereas $!msg is
> >>>> available when both are using Direct Queue. Am I missing something
> >>>> here ?
> >>>>
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >>> POST if you DON'T LIKE THAT.
> >>>
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T
> > LIKE THAT.
>
> ------------------------------
>
> Message: 4
> Date: Fri, 17 Sep 2021 09:46:59 +0530
> From: rajeshksv <rajeshksv37@gmail.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID:
> <CAJQ5ZoTFdF4YgSa6tAeXPaa2d=95x=
> bDWrdWU+oOaQ8AinuMcA@mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Agreed. We don't need a direct queue before ruleset. I added it only to
> understand what's going with DIRECT Queues (Since its a very novel concept
> - Haven't heard something like this before)
>
> If you remove the DIRECT queue from ruleset(in Scenario I), then
> modifications done in ruleset are visible to the main lane. It's working as
> expected. But since I am interested in understanding DIRECT Queues, I added
> it.
>
> >>> Also, although the maintainers will need to say for sure, user variable
> defined in a call may not be visible to the parent. Same as in most
> programming languages.
> Rsyslog works in a different way, in few scenarios, user variables defined
> in a call will be visible to the parent (If ruleset is not backed by
> Queue). So, its not similar to other languages ;)
>
> >>> "Note that mmnormalize should only be called once on each message.
> Behaviour is undefined if multiple calls to mmnormalize happen for the
> same message."
> Its a documentation bug, Rainer has raised a PR and will be resolved soon -
> https://github.com/rsyslog/rsyslog-doc/pull/931/files. Its safe to use it
> multiple times.
>
>
> On Fri, Sep 17, 2021 at 12:56 AM David Lang via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
> > On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
> >
> > >
> >
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/mmnormalize.html
> > >
> > > "Note that mmnormalize should only be called once on each message.
> > > Behaviour is undefined if multiple calls to mmnormalize happen for the
> > > same message."
> >
> > I called that out and it should have been removed from current
> > documentation.
> >
> > > From my tests it turns out that even with direct queue the message gets
> > > copied when entering a separate queue and thus the results are not
> > > inherited on the ruleset (and queue) exit.
> > >
> > > So it seems to be the mmnormalize that's causing the OP's variable to
> be
> > > retained after the ruleset exit.
> >
> > but if you don't specify any queue at all, then things inside a ruleset
> > will
> > affect things outside the ruleset.
> >
> > David Lang
> >
> > > On 16.09.2021 20:54, David Lang wrote:
> > >> There is no reason you can't call mmnormalize multiple times, you can
> > >> specify where to put the results (by default, they go under $!)
> > >>
> > >> I'm not really sure what a direct queue on a ruleset means, you should
> > >> just call the ruleset without it having any queue on it.
> > >>
> > >> David Lang
> > >>
> > >> On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
> > >>
> > >>> I believe it's not about queue, but about mmnormalize. I haven't used
> > >>> mmnormalize much myself but from the docs I understand that
> > >>> mmnormalize should only be called once on a message and is supposed
> > >>> to parse the message into a set of "global" properties.
> > >>>
> > >>>
> > >>> On 16.09.2021 15:21, rajeshksv via rsyslog wrote:
> > >>>> Hi Rsyslog Users,
> > >>>>
> > >>>> I am trying to understand how queues work in Rsyslog. In case of
> > >>>> non-direct
> > >>>> queues, message is copied and placed in the queue and message
> > >>>> modifications
> > >>>> done by queue workers won't have any impact on the original message.
> > >>>> Makes
> > >>>> sense here.
> > >>>>
> > >>>> However, I am a little confused when it comes to direct Queue. What
> > >>>> happens in Direct Queue ? Will the message be copied or is it the
> same
> > >>>> message ? I tested out two scenarios (wrt rulesets and actions) and
> > >>>> both
> > >>>> of them gave different results.
> > >>>>
> > >>>> When ruleset is backed by a direct Queue, message modifications done
> > in
> > >>>> ruleset don't reflect back in original flow where as in case of
> > actions
> > >>>> (such mmnormalize, mmkubernetes) which are by default backed by
> direct
> > >>>> Queue, message modifications done with action reflects in original
> > flow
> > >>>>
> > >>>> Scenario 1:
> > >>>>
> > >>>> template(name="abc" type="string" string="%$!var1% %$.var2% %msg%")
> > >>>>
> > >>>> ruleset(name="relay.htp1" queue.type="Direct") {
> > >>>> call rs1
> > >>>> * // $!var1, $.var2 aren't available here*
> > >>>> action(type="omfile" file="/tmp/output.log" template="abc")
> > >>>> call relay.htp
> > >>>> }
> > >>>>
> > >>>> ruleset(name="rs1" queue.type="Direct"){
> > >>>> set $!var1 = "hello";
> > >>>> set $.var2 = "bye";
> > >>>> }
> > >>>>
> > >>>> input(type="imfile"
> > >>>> File="/tmp/input.log"
> > >>>> Ruleset="relay.htp1"
> > >>>> Tag="tag")
> > >>>>
> > >>>>
> > >>>> Scenario 2:
> > >>>>
> > >>>> module(load = "mmnormalize")
> > >>>> ruleset(name = "relay.htp1" queue.type="Direct") {
> > >>>> action(type = "mmnormalize"
> > >>>> ruleBase="/etc/rsyslog.d/service.rulebase"
> > >>>> path="$!msg")
> > >>>> * // $!msg will be available here even though action is backed
> by a
> > >>>> default Queue. *
> > >>>> }
> > >>>>
> > >>>> input(type="imfile"
> > >>>> File="/tmp/input.log"
> > >>>> Ruleset="relay.htp1"
> > >>>> Tag="tag")
> > >>>>
> > >>>>
> > >>>> How come $!var1, $.var2 aren't available in scenario1 whereas $!msg
> is
> > >>>> available when both are using Direct Queue. Am I missing something
> > >>>> here ?
> > >>>>
> > >>> _______________________________________________
> > >>> rsyslog mailing list
> > >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >>> http://www.rsyslog.com/professional-services/
> > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > >>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> > >>> POST if you DON'T LIKE THAT.
> > >>>
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> > of
> > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T
> > > LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
>
>
>
> --
> Regards,
> Rajesh KSV
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 17 Sep 2021 08:55:20 +0200
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID:
> <
> CADk+mPDkRf0yO8tiiCq3Bk7Eyk83-FeNA+n_cC8Y8YizET4a8A@mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> The default queue mode is "direct" - no matter if it is explicitly
> specified or not.
>
> There are indeed semantic differences between the "direct" queue
> (a.k.a. "no real queue exists") and any other (real) queue type. As
> you say, in direct mode, the message object is NOT copied. So anything
> done to it, will potentially affect other uses of the very same
> message object. I real queues, the message is copied and thus no
> processing outside the scope of the queue is affected.
>
> NOTE WELL: if you have parts with direct AND real queues AND modify
> messages in "direct queue constructs" AND have actions/rulesets with
> real queues running in parallel, you have a race. If the modification
> made by the direct queue part depends on whether processing of the
> real queues has already started. For "regular" rule sets this is no
> problem, because main processing is sequential. However, if you do
> very complex setups with multipele rule sets calling into each other
> and using different queue modes, this can affect you.
>
> It is best, also for maintainability, to have a simple sequential
> structure in top level processing, spawning off topic rule sets (if at
> all required). then do all "global" modifications at the beginning.
> And do local (intentionally non outside-visible) modifications in the
> topic rule sets.
>
> I hope this helps,
> Rainer
>
> El vie, 17 sept 2021 a las 6:17, rajeshksv via rsyslog
> (<rsyslog@lists.adiscon.com>) escribi?:
> >
> > Agreed. We don't need a direct queue before ruleset. I added it only to
> > understand what's going with DIRECT Queues (Since its a very novel
> concept
> > - Haven't heard something like this before)
> >
> > If you remove the DIRECT queue from ruleset(in Scenario I), then
> > modifications done in ruleset are visible to the main lane. It's working
> as
> > expected. But since I am interested in understanding DIRECT Queues, I
> added
> > it.
> >
> > >>> Also, although the maintainers will need to say for sure, user
> variable
> > defined in a call may not be visible to the parent. Same as in most
> > programming languages.
> > Rsyslog works in a different way, in few scenarios, user variables
> defined
> > in a call will be visible to the parent (If ruleset is not backed by
> > Queue). So, its not similar to other languages ;)
> >
> > >>> "Note that mmnormalize should only be called once on each message.
> > Behaviour is undefined if multiple calls to mmnormalize happen for the
> > same message."
> > Its a documentation bug, Rainer has raised a PR and will be resolved
> soon -
> > https://github.com/rsyslog/rsyslog-doc/pull/931/files. Its safe to use
> it
> > multiple times.
> >
> >
> > On Fri, Sep 17, 2021 at 12:56 AM David Lang via rsyslog <
> > rsyslog@lists.adiscon.com> wrote:
> >
> > > On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
> > >
> > > >
> > >
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/mmnormalize.html
> > > >
> > > > "Note that mmnormalize should only be called once on each message.
> > > > Behaviour is undefined if multiple calls to mmnormalize happen for
> the
> > > > same message."
> > >
> > > I called that out and it should have been removed from current
> > > documentation.
> > >
> > > > From my tests it turns out that even with direct queue the message
> gets
> > > > copied when entering a separate queue and thus the results are not
> > > > inherited on the ruleset (and queue) exit.
> > > >
> > > > So it seems to be the mmnormalize that's causing the OP's variable
> to be
> > > > retained after the ruleset exit.
> > >
> > > but if you don't specify any queue at all, then things inside a ruleset
> > > will
> > > affect things outside the ruleset.
> > >
> > > David Lang
> > >
> > > > On 16.09.2021 20:54, David Lang wrote:
> > > >> There is no reason you can't call mmnormalize multiple times, you
> can
> > > >> specify where to put the results (by default, they go under $!)
> > > >>
> > > >> I'm not really sure what a direct queue on a ruleset means, you
> should
> > > >> just call the ruleset without it having any queue on it.
> > > >>
> > > >> David Lang
> > > >>
> > > >> On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
> > > >>
> > > >>> I believe it's not about queue, but about mmnormalize. I haven't
> used
> > > >>> mmnormalize much myself but from the docs I understand that
> > > >>> mmnormalize should only be called once on a message and is supposed
> > > >>> to parse the message into a set of "global" properties.
> > > >>>
> > > >>>
> > > >>> On 16.09.2021 15:21, rajeshksv via rsyslog wrote:
> > > >>>> Hi Rsyslog Users,
> > > >>>>
> > > >>>> I am trying to understand how queues work in Rsyslog. In case of
> > > >>>> non-direct
> > > >>>> queues, message is copied and placed in the queue and message
> > > >>>> modifications
> > > >>>> done by queue workers won't have any impact on the original
> message.
> > > >>>> Makes
> > > >>>> sense here.
> > > >>>>
> > > >>>> However, I am a little confused when it comes to direct Queue.
> What
> > > >>>> happens in Direct Queue ? Will the message be copied or is it the
> same
> > > >>>> message ? I tested out two scenarios (wrt rulesets and actions)
> and
> > > >>>> both
> > > >>>> of them gave different results.
> > > >>>>
> > > >>>> When ruleset is backed by a direct Queue, message modifications
> done
> > > in
> > > >>>> ruleset don't reflect back in original flow where as in case of
> > > actions
> > > >>>> (such mmnormalize, mmkubernetes) which are by default backed by
> direct
> > > >>>> Queue, message modifications done with action reflects in original
> > > flow
> > > >>>>
> > > >>>> Scenario 1:
> > > >>>>
> > > >>>> template(name="abc" type="string" string="%$!var1% %$.var2%
> %msg%")
> > > >>>>
> > > >>>> ruleset(name="relay.htp1" queue.type="Direct") {
> > > >>>> call rs1
> > > >>>> * // $!var1, $.var2 aren't available here*
> > > >>>> action(type="omfile" file="/tmp/output.log" template="abc")
> > > >>>> call relay.htp
> > > >>>> }
> > > >>>>
> > > >>>> ruleset(name="rs1" queue.type="Direct"){
> > > >>>> set $!var1 = "hello";
> > > >>>> set $.var2 = "bye";
> > > >>>> }
> > > >>>>
> > > >>>> input(type="imfile"
> > > >>>> File="/tmp/input.log"
> > > >>>> Ruleset="relay.htp1"
> > > >>>> Tag="tag")
> > > >>>>
> > > >>>>
> > > >>>> Scenario 2:
> > > >>>>
> > > >>>> module(load = "mmnormalize")
> > > >>>> ruleset(name = "relay.htp1" queue.type="Direct") {
> > > >>>> action(type = "mmnormalize"
> > > >>>> ruleBase="/etc/rsyslog.d/service.rulebase"
> > > >>>> path="$!msg")
> > > >>>> * // $!msg will be available here even though action is backed
> by a
> > > >>>> default Queue. *
> > > >>>> }
> > > >>>>
> > > >>>> input(type="imfile"
> > > >>>> File="/tmp/input.log"
> > > >>>> Ruleset="relay.htp1"
> > > >>>> Tag="tag")
> > > >>>>
> > > >>>>
> > > >>>> How come $!var1, $.var2 aren't available in scenario1 whereas
> $!msg is
> > > >>>> available when both are using Direct Queue. Am I missing something
> > > >>>> here ?
> > > >>>>
> > > >>> _______________________________________________
> > > >>> rsyslog mailing list
> > > >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > >>> http://www.rsyslog.com/professional-services/
> > > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > > >>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> > > >>> POST if you DON'T LIKE THAT.
> > > >>>
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com/professional-services/
> > > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> > > of
> > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > > DON'T
> > > > LIKE THAT.
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > > DON'T LIKE THAT.
> >
> >
> >
> > --
> > Regards,
> > Rajesh KSV
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
>
> ------------------------------
>
> Message: 6
> Date: Fri, 17 Sep 2021 09:09:49 +0200
> From: Mariusz Kruk <kruk@epsilon.eu.org>
> To: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID: <143588b6-1442-96c1-d526-41f4d8a0c8da@epsilon.eu.org>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
>
> On 16.09.2021 21:26, David Lang wrote:
> > On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
> >
> >>
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/mmnormalize.html
> >>
> >>
> >> "Note that mmnormalize should only be called once on each message.
> >> Behaviour is undefined if multiple calls to mmnormalize happen for
> >> the same message."
> >
> > I called that out and it should have been removed from current
> > documentation.
> OK. Good to know.
> >
> >> From my tests it turns out that even with direct queue the message
> >> gets copied when entering a separate queue and thus the results are
> >> not inherited on the ruleset (and queue) exit.
> >>
> >> So it seems to be the mmnormalize that's causing the OP's variable to
> >> be retained after the ruleset exit.
> >
> > but if you don't specify any queue at all, then things inside a
> > ruleset will affect things outside the ruleset.
> >
> Sure. Then the flow inside a ruleset - which happens within the same
> queue as the "outside", will affect the variables seen in the queue. I
> use it heavily ;-)
>
> But the OP asked about the direct queue and it seems that this queue
> type is not "special" in anyway - it also creates a new scope.
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Fri, 17 Sep 2021 09:15:44 +0200
> From: Mariusz Kruk <kruk@epsilon.eu.org>
> To: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID: <169664df-ec45-83e4-36f4-dbbaa7430de5@epsilon.eu.org>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Hmm...
>
> OK, so a simple setup of:
>
> [cut]
>
> ruleset(name="whatever" queue.type="direct") {
>
> ??? set $.msg="whatever";
>
> }
>
> set $.msg=$msg;
>
> call whatever
>
> template using $.msg
>
> output with the template
>
> [cut]
>
> Which from my tests shows that $.msg retains the $msg value even though
> it was supposed to be overwritten by the "whatever" ruleset is caused
> not by the queue mechanics but by non-linearity of execution and race?
>
> MK
>
> On 17.09.2021 08:55, Rainer Gerhards via rsyslog wrote:
> > The default queue mode is "direct" - no matter if it is explicitly
> > specified or not.
> >
> > There are indeed semantic differences between the "direct" queue
> > (a.k.a. "no real queue exists") and any other (real) queue type. As
> > you say, in direct mode, the message object is NOT copied. So anything
> > done to it, will potentially affect other uses of the very same
> > message object. I real queues, the message is copied and thus no
> > processing outside the scope of the queue is affected.
> >
> > NOTE WELL: if you have parts with direct AND real queues AND modify
> > messages in "direct queue constructs" AND have actions/rulesets with
> > real queues running in parallel, you have a race. If the modification
> > made by the direct queue part depends on whether processing of the
> > real queues has already started. For "regular" rule sets this is no
> > problem, because main processing is sequential. However, if you do
> > very complex setups with multipele rule sets calling into each other
> > and using different queue modes, this can affect you.
> >
> > It is best, also for maintainability, to have a simple sequential
> > structure in top level processing, spawning off topic rule sets (if at
> > all required). then do all "global" modifications at the beginning.
> > And do local (intentionally non outside-visible) modifications in the
> > topic rule sets.
> >
> > I hope this helps,
> > Rainer
> >
> > El vie, 17 sept 2021 a las 6:17, rajeshksv via rsyslog
> > (<rsyslog@lists.adiscon.com>) escribi?:
> >> Agreed. We don't need a direct queue before ruleset. I added it only to
> >> understand what's going with DIRECT Queues (Since its a very novel
> concept
> >> - Haven't heard something like this before)
> >>
> >> If you remove the DIRECT queue from ruleset(in Scenario I), then
> >> modifications done in ruleset are visible to the main lane. It's
> working as
> >> expected. But since I am interested in understanding DIRECT Queues, I
> added
> >> it.
> >>
> >>>>> Also, although the maintainers will need to say for sure, user
> variable
> >> defined in a call may not be visible to the parent. Same as in most
> >> programming languages.
> >> Rsyslog works in a different way, in few scenarios, user variables
> defined
> >> in a call will be visible to the parent (If ruleset is not backed by
> >> Queue). So, its not similar to other languages ;)
> >>
> >>>>> "Note that mmnormalize should only be called once on each message.
> >> Behaviour is undefined if multiple calls to mmnormalize happen for the
> >> same message."
> >> Its a documentation bug, Rainer has raised a PR and will be resolved
> soon -
> >> https://github.com/rsyslog/rsyslog-doc/pull/931/files. Its safe to use
> it
> >> multiple times.
> >>
> >>
> >> On Fri, Sep 17, 2021 at 12:56 AM David Lang via rsyslog <
> >> rsyslog@lists.adiscon.com> wrote:
> >>
> >>> On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
> >>>
> >>>
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/mmnormalize.html
> >>>> "Note that mmnormalize should only be called once on each message.
> >>>> Behaviour is undefined if multiple calls to mmnormalize happen for the
> >>>> same message."
> >>> I called that out and it should have been removed from current
> >>> documentation.
> >>>
> >>>> From my tests it turns out that even with direct queue the message
> gets
> >>>> copied when entering a separate queue and thus the results are not
> >>>> inherited on the ruleset (and queue) exit.
> >>>>
> >>>> So it seems to be the mmnormalize that's causing the OP's variable to
> be
> >>>> retained after the ruleset exit.
> >>> but if you don't specify any queue at all, then things inside a ruleset
> >>> will
> >>> affect things outside the ruleset.
> >>>
> >>> David Lang
> >>>
> >>>> On 16.09.2021 20:54, David Lang wrote:
> >>>>> There is no reason you can't call mmnormalize multiple times, you can
> >>>>> specify where to put the results (by default, they go under $!)
> >>>>>
> >>>>> I'm not really sure what a direct queue on a ruleset means, you
> should
> >>>>> just call the ruleset without it having any queue on it.
> >>>>>
> >>>>> David Lang
> >>>>>
> >>>>> On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
> >>>>>
> >>>>>> I believe it's not about queue, but about mmnormalize. I haven't
> used
> >>>>>> mmnormalize much myself but from the docs I understand that
> >>>>>> mmnormalize should only be called once on a message and is supposed
> >>>>>> to parse the message into a set of "global" properties.
> >>>>>>
> >>>>>>
> >>>>>> On 16.09.2021 15:21, rajeshksv via rsyslog wrote:
> >>>>>>> Hi Rsyslog Users,
> >>>>>>>
> >>>>>>> I am trying to understand how queues work in Rsyslog. In case of
> >>>>>>> non-direct
> >>>>>>> queues, message is copied and placed in the queue and message
> >>>>>>> modifications
> >>>>>>> done by queue workers won't have any impact on the original
> message.
> >>>>>>> Makes
> >>>>>>> sense here.
> >>>>>>>
> >>>>>>> However, I am a little confused when it comes to direct Queue.
> What
> >>>>>>> happens in Direct Queue ? Will the message be copied or is it the
> same
> >>>>>>> message ? I tested out two scenarios (wrt rulesets and actions)
> and
> >>>>>>> both
> >>>>>>> of them gave different results.
> >>>>>>>
> >>>>>>> When ruleset is backed by a direct Queue, message modifications
> done
> >>> in
> >>>>>>> ruleset don't reflect back in original flow where as in case of
> >>> actions
> >>>>>>> (such mmnormalize, mmkubernetes) which are by default backed by
> direct
> >>>>>>> Queue, message modifications done with action reflects in original
> >>> flow
> >>>>>>> Scenario 1:
> >>>>>>>
> >>>>>>> template(name="abc" type="string" string="%$!var1% %$.var2% %msg%")
> >>>>>>>
> >>>>>>> ruleset(name="relay.htp1" queue.type="Direct") {
> >>>>>>> call rs1
> >>>>>>> * // $!var1, $.var2 aren't available here*
> >>>>>>> action(type="omfile" file="/tmp/output.log" template="abc")
> >>>>>>> call relay.htp
> >>>>>>> }
> >>>>>>>
> >>>>>>> ruleset(name="rs1" queue.type="Direct"){
> >>>>>>> set $!var1 = "hello";
> >>>>>>> set $.var2 = "bye";
> >>>>>>> }
> >>>>>>>
> >>>>>>> input(type="imfile"
> >>>>>>> File="/tmp/input.log"
> >>>>>>> Ruleset="relay.htp1"
> >>>>>>> Tag="tag")
> >>>>>>>
> >>>>>>>
> >>>>>>> Scenario 2:
> >>>>>>>
> >>>>>>> module(load = "mmnormalize")
> >>>>>>> ruleset(name = "relay.htp1" queue.type="Direct") {
> >>>>>>> action(type = "mmnormalize"
> >>>>>>> ruleBase="/etc/rsyslog.d/service.rulebase"
> >>>>>>> path="$!msg")
> >>>>>>> * // $!msg will be available here even though action is backed
> by a
> >>>>>>> default Queue. *
> >>>>>>> }
> >>>>>>>
> >>>>>>> input(type="imfile"
> >>>>>>> File="/tmp/input.log"
> >>>>>>> Ruleset="relay.htp1"
> >>>>>>> Tag="tag")
> >>>>>>>
> >>>>>>>
> >>>>>>> How come $!var1, $.var2 aren't available in scenario1 whereas
> $!msg is
> >>>>>>> available when both are using Direct Queue. Am I missing something
> >>>>>>> here ?
> >>>>>>>
> >>>>>> _______________________________________________
> >>>>>> rsyslog mailing list
> >>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>> http://www.rsyslog.com/professional-services/
> >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >>>>>> POST if you DON'T LIKE THAT.
> >>>>>>
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com/professional-services/
> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>> of
> >>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>> DON'T
> >>>> LIKE THAT.
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>> DON'T LIKE THAT.
> >>
> >>
> >> --
> >> Regards,
> >> Rajesh KSV
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
>
> ------------------------------
>
> Message: 8
> Date: Fri, 17 Sep 2021 09:32:44 +0200
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID:
> <
> CADk+mPA80qA3vipxYN47rg3dow+AQY1sxfO86PDmYBWTwSFSvA@mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> El vie, 17 sept 2021 a las 9:15, Mariusz Kruk via rsyslog
> (<rsyslog@lists.adiscon.com>) escribi?:
> >
> > Hmm...
> >
> > OK, so a simple setup of:
> >
> > [cut]
> >
> > ruleset(name="whatever" queue.type="direct") {
> >
> > set $.msg="whatever";
> >
> > }
> >
> > set $.msg=$msg;
> >
> > call whatever
> >
> > template using $.msg
> >
> > output with the template
> >
> > [cut]
> >
> > Which from my tests shows that $.msg retains the $msg value even though
> > it was supposed to be overwritten by the "whatever" ruleset is caused
> > not by the queue mechanics but by non-linearity of execution and race?
>
> I'll check. Maybe my memory served me incorrectly - but I don't think so.
>
> Rainer
>
> >
> > MK
>
>
> >
> > On 17.09.2021 08:55, Rainer Gerhards via rsyslog wrote:
> > > The default queue mode is "direct" - no matter if it is explicitly
> > > specified or not.
> > >
> > > There are indeed semantic differences between the "direct" queue
> > > (a.k.a. "no real queue exists") and any other (real) queue type. As
> > > you say, in direct mode, the message object is NOT copied. So anything
> > > done to it, will potentially affect other uses of the very same
> > > message object. I real queues, the message is copied and thus no
> > > processing outside the scope of the queue is affected.
> > >
> > > NOTE WELL: if you have parts with direct AND real queues AND modify
> > > messages in "direct queue constructs" AND have actions/rulesets with
> > > real queues running in parallel, you have a race. If the modification
> > > made by the direct queue part depends on whether processing of the
> > > real queues has already started. For "regular" rule sets this is no
> > > problem, because main processing is sequential. However, if you do
> > > very complex setups with multipele rule sets calling into each other
> > > and using different queue modes, this can affect you.
> > >
> > > It is best, also for maintainability, to have a simple sequential
> > > structure in top level processing, spawning off topic rule sets (if at
> > > all required). then do all "global" modifications at the beginning.
> > > And do local (intentionally non outside-visible) modifications in the
> > > topic rule sets.
> > >
> > > I hope this helps,
> > > Rainer
> > >
> > > El vie, 17 sept 2021 a las 6:17, rajeshksv via rsyslog
> > > (<rsyslog@lists.adiscon.com>) escribi?:
> > >> Agreed. We don't need a direct queue before ruleset. I added it only
> to
> > >> understand what's going with DIRECT Queues (Since its a very novel
> concept
> > >> - Haven't heard something like this before)
> > >>
> > >> If you remove the DIRECT queue from ruleset(in Scenario I), then
> > >> modifications done in ruleset are visible to the main lane. It's
> working as
> > >> expected. But since I am interested in understanding DIRECT Queues, I
> added
> > >> it.
> > >>
> > >>>>> Also, although the maintainers will need to say for sure, user
> variable
> > >> defined in a call may not be visible to the parent. Same as in most
> > >> programming languages.
> > >> Rsyslog works in a different way, in few scenarios, user variables
> defined
> > >> in a call will be visible to the parent (If ruleset is not backed by
> > >> Queue). So, its not similar to other languages ;)
> > >>
> > >>>>> "Note that mmnormalize should only be called once on each message.
> > >> Behaviour is undefined if multiple calls to mmnormalize happen for the
> > >> same message."
> > >> Its a documentation bug, Rainer has raised a PR and will be resolved
> soon -
> > >> https://github.com/rsyslog/rsyslog-doc/pull/931/files. Its safe to
> use it
> > >> multiple times.
> > >>
> > >>
> > >> On Fri, Sep 17, 2021 at 12:56 AM David Lang via rsyslog <
> > >> rsyslog@lists.adiscon.com> wrote:
> > >>
> > >>> On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
> > >>>
> > >>>
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/mmnormalize.html
> > >>>> "Note that mmnormalize should only be called once on each message.
> > >>>> Behaviour is undefined if multiple calls to mmnormalize happen for
> the
> > >>>> same message."
> > >>> I called that out and it should have been removed from current
> > >>> documentation.
> > >>>
> > >>>> From my tests it turns out that even with direct queue the message
> gets
> > >>>> copied when entering a separate queue and thus the results are not
> > >>>> inherited on the ruleset (and queue) exit.
> > >>>>
> > >>>> So it seems to be the mmnormalize that's causing the OP's variable
> to be
> > >>>> retained after the ruleset exit.
> > >>> but if you don't specify any queue at all, then things inside a
> ruleset
> > >>> will
> > >>> affect things outside the ruleset.
> > >>>
> > >>> David Lang
> > >>>
> > >>>> On 16.09.2021 20:54, David Lang wrote:
> > >>>>> There is no reason you can't call mmnormalize multiple times, you
> can
> > >>>>> specify where to put the results (by default, they go under $!)
> > >>>>>
> > >>>>> I'm not really sure what a direct queue on a ruleset means, you
> should
> > >>>>> just call the ruleset without it having any queue on it.
> > >>>>>
> > >>>>> David Lang
> > >>>>>
> > >>>>> On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
> > >>>>>
> > >>>>>> I believe it's not about queue, but about mmnormalize. I haven't
> used
> > >>>>>> mmnormalize much myself but from the docs I understand that
> > >>>>>> mmnormalize should only be called once on a message and is
> supposed
> > >>>>>> to parse the message into a set of "global" properties.
> > >>>>>>
> > >>>>>>
> > >>>>>> On 16.09.2021 15:21, rajeshksv via rsyslog wrote:
> > >>>>>>> Hi Rsyslog Users,
> > >>>>>>>
> > >>>>>>> I am trying to understand how queues work in Rsyslog. In case of
> > >>>>>>> non-direct
> > >>>>>>> queues, message is copied and placed in the queue and message
> > >>>>>>> modifications
> > >>>>>>> done by queue workers won't have any impact on the original
> message.
> > >>>>>>> Makes
> > >>>>>>> sense here.
> > >>>>>>>
> > >>>>>>> However, I am a little confused when it comes to direct Queue.
> What
> > >>>>>>> happens in Direct Queue ? Will the message be copied or is it
> the same
> > >>>>>>> message ? I tested out two scenarios (wrt rulesets and actions)
> and
> > >>>>>>> both
> > >>>>>>> of them gave different results.
> > >>>>>>>
> > >>>>>>> When ruleset is backed by a direct Queue, message modifications
> done
> > >>> in
> > >>>>>>> ruleset don't reflect back in original flow where as in case of
> > >>> actions
> > >>>>>>> (such mmnormalize, mmkubernetes) which are by default backed by
> direct
> > >>>>>>> Queue, message modifications done with action reflects in
> original
> > >>> flow
> > >>>>>>> Scenario 1:
> > >>>>>>>
> > >>>>>>> template(name="abc" type="string" string="%$!var1% %$.var2%
> %msg%")
> > >>>>>>>
> > >>>>>>> ruleset(name="relay.htp1" queue.type="Direct") {
> > >>>>>>> call rs1
> > >>>>>>> * // $!var1, $.var2 aren't available here*
> > >>>>>>> action(type="omfile" file="/tmp/output.log"
> template="abc")
> > >>>>>>> call relay.htp
> > >>>>>>> }
> > >>>>>>>
> > >>>>>>> ruleset(name="rs1" queue.type="Direct"){
> > >>>>>>> set $!var1 = "hello";
> > >>>>>>> set $.var2 = "bye";
> > >>>>>>> }
> > >>>>>>>
> > >>>>>>> input(type="imfile"
> > >>>>>>> File="/tmp/input.log"
> > >>>>>>> Ruleset="relay.htp1"
> > >>>>>>> Tag="tag")
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> Scenario 2:
> > >>>>>>>
> > >>>>>>> module(load = "mmnormalize")
> > >>>>>>> ruleset(name = "relay.htp1" queue.type="Direct") {
> > >>>>>>> action(type = "mmnormalize"
> > >>>>>>> ruleBase="/etc/rsyslog.d/service.rulebase"
> > >>>>>>> path="$!msg")
> > >>>>>>> * // $!msg will be available here even though action is
> backed by a
> > >>>>>>> default Queue. *
> > >>>>>>> }
> > >>>>>>>
> > >>>>>>> input(type="imfile"
> > >>>>>>> File="/tmp/input.log"
> > >>>>>>> Ruleset="relay.htp1"
> > >>>>>>> Tag="tag")
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> How come $!var1, $.var2 aren't available in scenario1 whereas
> $!msg is
> > >>>>>>> available when both are using Direct Queue. Am I missing
> something
> > >>>>>>> here ?
> > >>>>>>>
> > >>>>>> _______________________________________________
> > >>>>>> rsyslog mailing list
> > >>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >>>>>> http://www.rsyslog.com/professional-services/
> > >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > >>>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> > >>>>>> POST if you DON'T LIKE THAT.
> > >>>>>>
> > >>>> _______________________________________________
> > >>>> rsyslog mailing list
> > >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >>>> http://www.rsyslog.com/professional-services/
> > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> > >>> of
> > >>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > >>> DON'T
> > >>>> LIKE THAT.
> > >>> _______________________________________________
> > >>> rsyslog mailing list
> > >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >>> http://www.rsyslog.com/professional-services/
> > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you
> > >>> DON'T LIKE THAT.
> > >>
> > >>
> > >> --
> > >> Regards,
> > >> Rajesh KSV
> > >> _______________________________________________
> > >> rsyslog mailing list
> > >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> http://www.rsyslog.com/professional-services/
> > >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
>
> ------------------------------
>
> Message: 9
> Date: Fri, 17 Sep 2021 10:39:15 +0200
> From: Mariusz Kruk <kruk@epsilon.eu.org>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID: <32484bdd-8bab-1132-5888-2c3e62afb622@epsilon.eu.org>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
>
> On 17.09.2021 09:32, Rainer Gerhards wrote:
> > El vie, 17 sept 2021 a las 9:15, Mariusz Kruk via rsyslog
> > (<rsyslog@lists.adiscon.com>) escribi?:
> >> Hmm...
> >>
> >> OK, so a simple setup of:
> >>
> >> [cut]
> >>
> >> ruleset(name="whatever" queue.type="direct") {
> >>
> >> set $.msg="whatever";
> >>
> >> }
> >>
> >> set $.msg=$msg;
> >>
> >> call whatever
> >>
> >> template using $.msg
> >>
> >> output with the template
> >>
> >> [cut]
> >>
> >> Which from my tests shows that $.msg retains the $msg value even though
> >> it was supposed to be overwritten by the "whatever" ruleset is caused
> >> not by the queue mechanics but by non-linearity of execution and race?
> > I'll check. Maybe my memory served me incorrectly - but I don't think so.
> >
> > Rainer
> >
> Sure. I'm not the one to argue with you about the internals of the code,
> especially when I haven't looked into it ;-)
>
> But - just to check - I did a config of:
>
> [typical standard fedora rsyslog at the beginning and then:]
>
> ruleset(name="whatever" queue.type="Direct") {
> ??? set $.msg="static value";
> }
>
> template(name="dumper" type="list") {
> ??? property(name=".msg")
> ??? constant(value="\n")
> }
> set $.msg=$msg;
> call whatever
> action(type="omfile" file="/tmp/log.log" template="dumper")
> action(type="omfile" file="/tmp/rsyslog.debug"
> template="RSYSLOG_DebugFormat")
>
> In the log.log file I got a normal log of system events (obviously
> without the headers since the template includes only $.msg which is
> assigned a value of $msg).
>
> In the debug file I have entries like
>
> Debug line with all properties:
> FROMHOST: 'scmkrlx', fromhost-ip: '127.0.0.1', HOSTNAME: 'scmkrlx', PRI:
> 86, syslogtag 'sudo:', programname: 'sudo', APP-NAME: 'sudo', PROCID:
> '-', MSGID: '-', TIMESTAMP: 'Sep 17 10:28:28', STRUCTURED-DATA: '-',
> msg: ' pam_unix(sudo:session): session opened for user root(uid=0) by
> (uid=1000)'
> escaped msg: ' pam_unix(sudo:session): session opened for user
> root(uid=0) by (uid=1000)'
> inputname: imuxsock rawmsg: '<86>Sep 17 10:28:28 sudo:
> pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)'
> $!:
> $.:{ "msg": " pam_unix(sudo:session): session opened for user
> root(uid=0) by (uid=1000)" }
>
> As you can clearly see, the $.msg is getting assigned the $msg value and
> _not_ overwritten by the static value.
>
> But if I omit the queue type completely from the ruleset definition
>
> ruleset(name="whatever") {
> ??? set $.msg="static value";
> }
>
> The rest of the config being the same, I get:
>
> Debug line with all properties:
> FROMHOST: 'scmkrlx', fromhost-ip: '127.0.0.1', HOSTNAME: 'scmkrlx', PRI:
> 86, syslogtag 'sudo:', programname: 'sudo', APP-NAME: 'sudo', PROCID:
> '-', MSGID: '-', TIMESTAMP: 'Sep 17 10:36:13', STRUCTURED-DATA: '-',
> msg: ' pam_unix(sudo:session): session opened for user root(uid=0) by
> (uid=1000)'
> escaped msg: ' pam_unix(sudo:session): session opened for user
> root(uid=0) by (uid=1000)'
> inputname: imuxsock rawmsg: '<86>Sep 17 10:36:13 sudo:
> pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)'
> $!:
> $.:{ "msg": "static value" }
> $/:
>
> And of course in the "main" log I get only the lines with "static value"
> instead of the original $msg.
>
>
>
> ------------------------------
>
> Message: 10
> Date: Fri, 17 Sep 2021 10:53:35 +0200
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID:
> <
> CADk+mPCqOcdzOt3xi+6r3bf9TYFya-5Zb4e47yE+Wi-saxp_zQ@mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> > > Which from my tests shows that $.msg retains the $msg value even though
> > > it was supposed to be overwritten by the "whatever" ruleset is caused
> > > not by the queue mechanics but by non-linearity of execution and race?
> >
> > I'll check. Maybe my memory served me incorrectly - but I don't think so.
>
> OK, it's actually a kind of bug, but one that we better not fix.
>
> Here is what happens:
> Call, by design, is able to call a rule set either synchronously or
> asynchronously. We did this, because practice showed that both modes
> are needed. For various reasons (would need to dig out, but IIRC
> "backwards compatibility" as among them), we decided to make async
> calls if the ruleset has a queue assigned and sync if not.
>
> Now comes the bug: to know if a "queue is assigned" we just check if
> queue parameters are given. I overlooked the case of someone
> explicitly specifying a "direct queue", aka "no queue". As such,
> queue="direct" triggers async calls. That in turn means while the
> actually the same message object IS modified, the mentioned race
> occurs. In many cases (OS scheduling reasons), the next action will be
> executed before the async rule set (active thread vs. waiting thread).
> So the output uses the old value before the ruleset sets the new one.
>
> Can we fix this?
> Yes, it's easy, just check queue type and if it is "direct", do a sync
> call.
>
> BUT: this would potentially break existing configurations, something
> we do only if there is really a very good reason to do so. I do not
> see the case strong enough for a breaking fix.
>
> I think I will add a warning message when a direct queue type is
> detected but explicitly set. So users can become aware of the issue.
>
> Any objections?
>
> Rainer
>
>
> >
> > Rainer
> >
> > >
> > > MK
> >
> >
> > >
> > > On 17.09.2021 08:55, Rainer Gerhards via rsyslog wrote:
> > > > The default queue mode is "direct" - no matter if it is explicitly
> > > > specified or not.
> > > >
> > > > There are indeed semantic differences between the "direct" queue
> > > > (a.k.a. "no real queue exists") and any other (real) queue type. As
> > > > you say, in direct mode, the message object is NOT copied. So
> anything
> > > > done to it, will potentially affect other uses of the very same
> > > > message object. I real queues, the message is copied and thus no
> > > > processing outside the scope of the queue is affected.
> > > >
> > > > NOTE WELL: if you have parts with direct AND real queues AND modify
> > > > messages in "direct queue constructs" AND have actions/rulesets with
> > > > real queues running in parallel, you have a race. If the modification
> > > > made by the direct queue part depends on whether processing of the
> > > > real queues has already started. For "regular" rule sets this is no
> > > > problem, because main processing is sequential. However, if you do
> > > > very complex setups with multipele rule sets calling into each other
> > > > and using different queue modes, this can affect you.
> > > >
> > > > It is best, also for maintainability, to have a simple sequential
> > > > structure in top level processing, spawning off topic rule sets (if
> at
> > > > all required). then do all "global" modifications at the beginning.
> > > > And do local (intentionally non outside-visible) modifications in the
> > > > topic rule sets.
> > > >
> > > > I hope this helps,
> > > > Rainer
> > > >
> > > > El vie, 17 sept 2021 a las 6:17, rajeshksv via rsyslog
> > > > (<rsyslog@lists.adiscon.com>) escribi?:
> > > >> Agreed. We don't need a direct queue before ruleset. I added it
> only to
> > > >> understand what's going with DIRECT Queues (Since its a very novel
> concept
> > > >> - Haven't heard something like this before)
> > > >>
> > > >> If you remove the DIRECT queue from ruleset(in Scenario I), then
> > > >> modifications done in ruleset are visible to the main lane. It's
> working as
> > > >> expected. But since I am interested in understanding DIRECT Queues,
> I added
> > > >> it.
> > > >>
> > > >>>>> Also, although the maintainers will need to say for sure, user
> variable
> > > >> defined in a call may not be visible to the parent. Same as in most
> > > >> programming languages.
> > > >> Rsyslog works in a different way, in few scenarios, user variables
> defined
> > > >> in a call will be visible to the parent (If ruleset is not backed by
> > > >> Queue). So, its not similar to other languages ;)
> > > >>
> > > >>>>> "Note that mmnormalize should only be called once on each
> message.
> > > >> Behaviour is undefined if multiple calls to mmnormalize happen for
> the
> > > >> same message."
> > > >> Its a documentation bug, Rainer has raised a PR and will be
> resolved soon -
> > > >> https://github.com/rsyslog/rsyslog-doc/pull/931/files. Its safe to
> use it
> > > >> multiple times.
> > > >>
> > > >>
> > > >> On Fri, Sep 17, 2021 at 12:56 AM David Lang via rsyslog <
> > > >> rsyslog@lists.adiscon.com> wrote:
> > > >>
> > > >>> On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
> > > >>>
> > > >>>
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/mmnormalize.html
> > > >>>> "Note that mmnormalize should only be called once on each message.
> > > >>>> Behaviour is undefined if multiple calls to mmnormalize happen
> for the
> > > >>>> same message."
> > > >>> I called that out and it should have been removed from current
> > > >>> documentation.
> > > >>>
> > > >>>> From my tests it turns out that even with direct queue the
> message gets
> > > >>>> copied when entering a separate queue and thus the results are not
> > > >>>> inherited on the ruleset (and queue) exit.
> > > >>>>
> > > >>>> So it seems to be the mmnormalize that's causing the OP's
> variable to be
> > > >>>> retained after the ruleset exit.
> > > >>> but if you don't specify any queue at all, then things inside a
> ruleset
> > > >>> will
> > > >>> affect things outside the ruleset.
> > > >>>
> > > >>> David Lang
> > > >>>
> > > >>>> On 16.09.2021 20:54, David Lang wrote:
> > > >>>>> There is no reason you can't call mmnormalize multiple times,
> you can
> > > >>>>> specify where to put the results (by default, they go under $!)
> > > >>>>>
> > > >>>>> I'm not really sure what a direct queue on a ruleset means, you
> should
> > > >>>>> just call the ruleset without it having any queue on it.
> > > >>>>>
> > > >>>>> David Lang
> > > >>>>>
> > > >>>>> On Thu, 16 Sep 2021, Mariusz Kruk via rsyslog wrote:
> > > >>>>>
> > > >>>>>> I believe it's not about queue, but about mmnormalize. I
> haven't used
> > > >>>>>> mmnormalize much myself but from the docs I understand that
> > > >>>>>> mmnormalize should only be called once on a message and is
> supposed
> > > >>>>>> to parse the message into a set of "global" properties.
> > > >>>>>>
> > > >>>>>>
> > > >>>>>> On 16.09.2021 15:21, rajeshksv via rsyslog wrote:
> > > >>>>>>> Hi Rsyslog Users,
> > > >>>>>>>
> > > >>>>>>> I am trying to understand how queues work in Rsyslog. In case
> of
> > > >>>>>>> non-direct
> > > >>>>>>> queues, message is copied and placed in the queue and message
> > > >>>>>>> modifications
> > > >>>>>>> done by queue workers won't have any impact on the original
> message.
> > > >>>>>>> Makes
> > > >>>>>>> sense here.
> > > >>>>>>>
> > > >>>>>>> However, I am a little confused when it comes to direct
> Queue. What
> > > >>>>>>> happens in Direct Queue ? Will the message be copied or is it
> the same
> > > >>>>>>> message ? I tested out two scenarios (wrt rulesets and
> actions) and
> > > >>>>>>> both
> > > >>>>>>> of them gave different results.
> > > >>>>>>>
> > > >>>>>>> When ruleset is backed by a direct Queue, message
> modifications done
> > > >>> in
> > > >>>>>>> ruleset don't reflect back in original flow where as in case of
> > > >>> actions
> > > >>>>>>> (such mmnormalize, mmkubernetes) which are by default backed
> by direct
> > > >>>>>>> Queue, message modifications done with action reflects in
> original
> > > >>> flow
> > > >>>>>>> Scenario 1:
> > > >>>>>>>
> > > >>>>>>> template(name="abc" type="string" string="%$!var1% %$.var2%
> %msg%")
> > > >>>>>>>
> > > >>>>>>> ruleset(name="relay.htp1" queue.type="Direct") {
> > > >>>>>>> call rs1
> > > >>>>>>> * // $!var1, $.var2 aren't available here*
> > > >>>>>>> action(type="omfile" file="/tmp/output.log"
> template="abc")
> > > >>>>>>> call relay.htp
> > > >>>>>>> }
> > > >>>>>>>
> > > >>>>>>> ruleset(name="rs1" queue.type="Direct"){
> > > >>>>>>> set $!var1 = "hello";
> > > >>>>>>> set $.var2 = "bye";
> > > >>>>>>> }
> > > >>>>>>>
> > > >>>>>>> input(type="imfile"
> > > >>>>>>> File="/tmp/input.log"
> > > >>>>>>> Ruleset="relay.htp1"
> > > >>>>>>> Tag="tag")
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>> Scenario 2:
> > > >>>>>>>
> > > >>>>>>> module(load = "mmnormalize")
> > > >>>>>>> ruleset(name = "relay.htp1" queue.type="Direct") {
> > > >>>>>>> action(type = "mmnormalize"
> > > >>>>>>> ruleBase="/etc/rsyslog.d/service.rulebase"
> > > >>>>>>> path="$!msg")
> > > >>>>>>> * // $!msg will be available here even though action is
> backed by a
> > > >>>>>>> default Queue. *
> > > >>>>>>> }
> > > >>>>>>>
> > > >>>>>>> input(type="imfile"
> > > >>>>>>> File="/tmp/input.log"
> > > >>>>>>> Ruleset="relay.htp1"
> > > >>>>>>> Tag="tag")
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>> How come $!var1, $.var2 aren't available in scenario1 whereas
> $!msg is
> > > >>>>>>> available when both are using Direct Queue. Am I missing
> something
> > > >>>>>>> here ?
> > > >>>>>>>
> > > >>>>>> _______________________________________________
> > > >>>>>> rsyslog mailing list
> > > >>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > >>>>>> http://www.rsyslog.com/professional-services/
> > > >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
> a
> > > >>>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
> NOT
> > > >>>>>> POST if you DON'T LIKE THAT.
> > > >>>>>>
> > > >>>> _______________________________________________
> > > >>>> rsyslog mailing list
> > > >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > >>>> http://www.rsyslog.com/professional-services/
> > > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> > > >>> of
> > > >>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you
> > > >>> DON'T
> > > >>>> LIKE THAT.
> > > >>> _______________________________________________
> > > >>> rsyslog mailing list
> > > >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > >>> http://www.rsyslog.com/professional-services/
> > > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> > > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you
> > > >>> DON'T LIKE THAT.
> > > >>
> > > >>
> > > >> --
> > > >> Regards,
> > > >> Rajesh KSV
> > > >> _______________________________________________
> > > >> rsyslog mailing list
> > > >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > >> http://www.rsyslog.com/professional-services/
> > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com/professional-services/
> > > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
>
>
> ------------------------------
>
> Message: 11
> Date: Fri, 17 Sep 2021 10:57:24 +0200
> From: Mariusz Kruk <kruk@epsilon.eu.org>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID: <30cac1c9-1149-b7e7-0d6f-335b46eeef96@epsilon.eu.org>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 17.09.2021 10:53, Rainer Gerhards wrote:
> >
> > BUT: this would potentially break existing configurations, something
> > we do only if there is really a very good reason to do so. I do not
> > see the case strong enough for a breaking fix.
> >
> > I think I will add a warning message when a direct queue type is
> > detected but explicitly set. So users can become aware of the issue.
> >
> > Any objections?
> >
> > Rainer
> >
> As long as the behaviour is documented and predictable/understandable I
> think it's a good solution.
>
>
>
> ------------------------------
>
> Message: 12
> Date: Fri, 17 Sep 2021 02:11:47 -0700 (PDT)
> From: David Lang <david@lang.hm>
> To: Rainer Gerhards via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID: <nycvar.QRO.7.76.6.2109170203380.8265@qynat-yncgbc>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> On Fri, 17 Sep 2021, Rainer Gerhards via rsyslog wrote:
>
> > Can we fix this?
> > Yes, it's easy, just check queue type and if it is "direct", do a sync
> call.
> >
> > BUT: this would potentially break existing configurations, something
> > we do only if there is really a very good reason to do so. I do not
> > see the case strong enough for a breaking fix.
> >
> > I think I will add a warning message when a direct queue type is
> > detected but explicitly set. So users can become aware of the issue.
> >
> > Any objections?
>
> given that the result of specifying queue=direct is an undefined race
> condition,
> I think we need to at least add a big warning, and don't think it would be
> unreasonable to change this behavior to make it defined (turn it into a
> sync
> call)
>
> in the docs, we tell people to use a queue type of linkedlist when they
> want
> things to be async (at some point we should have examples that say
> fixedarray as
> people fall into the trap of thinking only linkedlist does this), but
> nowhere do
> we say that queue type direct would make anything async
>
> yes, it is a behavior change, which normally I oppose, but in this case it
> seems
> to be a behavior change away from something that is arguably against what
> the
> docs say, is unlikly to be used in the real world, and currently produces
> unpredictable results
>
> in the race condition, could the current behavior trigger a different
> message
> being changed? or writes to freed memory if the called ruleset is
> modifying the
> message object after the parent has finished processing the message
> entirely? or
> is it copied so that it's safe, just won't popogate changes back?
> (unexpectedly
> per the docs)
>
> David Lang
>
>
> ------------------------------
>
> Message: 13
> Date: Fri, 17 Sep 2021 02:14:05 -0700 (PDT)
> From: David Lang <david@lang.hm>
> To: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID: <nycvar.QRO.7.76.6.2109170212100.8265@qynat-yncgbc>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> On Fri, 17 Sep 2021, Mariusz Kruk via rsyslog wrote:
>
> >>> From my tests it turns out that even with direct queue the message
> gets
> >>> copied when entering a separate queue and thus the results are not
> >>> inherited on the ruleset (and queue) exit.
> >>>
> >>> So it seems to be the mmnormalize that's causing the OP's variable to
> be
> >>> retained after the ruleset exit.
> >>
> >> but if you don't specify any queue at all, then things inside a ruleset
> >> will affect things outside the ruleset.
> >>
> > Sure. Then the flow inside a ruleset - which happens within the same
> queue as
> > the "outside", will affect the variables seen in the queue. I use it
> heavily
> > ;-)
> >
> > But the OP asked about the direct queue and it seems that this queue
> type is
> > not "special" in anyway - it also creates a new scope.
>
> the issue is that throughout the documentation, we say that not specifying
> a
> queue is the same as specifying a queue type of direct. In this case, it's
> not.
>
> so we can document this case where real-world behavior doesn't match the
> docs,
> and add a large warning about it.
>
> or
>
> we can fix it to match the docs, and add a warning about the behavior
> change.
>
> David Lang
>
>
> ------------------------------
>
> Message: 14
> Date: Fri, 17 Sep 2021 11:14:15 +0200
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID:
> <
> CADk+mPBsuj4NN3MyYse0KpQTkYNveae5Synrz_eg003UQpQCFg@mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> This is what I now emit:
>
> on or before line 26: rule set 'rs1' has queue type 'direct'
> explicitly set, ruleset will still be called asynchronously. This is
> often not what you want. If so, remove 'queue.type="direct"' from the
> ruleset definition.
>
> Rainer
>
> El vie, 17 sept 2021 a las 10:57, Mariusz Kruk via rsyslog
> (<rsyslog@lists.adiscon.com>) escribi?:
> >
> > On 17.09.2021 10:53, Rainer Gerhards wrote:
> > >
> > > BUT: this would potentially break existing configurations, something
> > > we do only if there is really a very good reason to do so. I do not
> > > see the case strong enough for a breaking fix.
> > >
> > > I think I will add a warning message when a direct queue type is
> > > detected but explicitly set. So users can become aware of the issue.
> > >
> > > Any objections?
> > >
> > > Rainer
> > >
> > As long as the behaviour is documented and predictable/understandable I
> > think it's a good solution.
> >
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
>
> ------------------------------
>
> Message: 15
> Date: Fri, 17 Sep 2021 11:21:06 +0200
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID:
> <
> CADk+mPB-+Ey1e8+U-QWpNGHEJZ_kVK42CS3v5X3XCcJSt5aQBA@mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> > the issue is that throughout the documentation, we say that not
> specifying a
> > queue is the same as specifying a queue type of direct. In this case,
> it's not.
>
> no, no!
>
> All is right, except that the "call" statement calling a ruleset async
> even when only a queue type direct is set.
>
> Behaviour of queues is as it always was, and direct does not de-couple.
>
> It is "call" which is executed on a different thread when we detect
> queue parameters on a ruleset. Anything else is correct. This can be
> clarified here:
>
> https://www.rsyslog.com/doc/master/rainerscript/rainerscript_call.html
>
> but nowhere else!
>
> Tech details: if call detects a queue on the ruleset, it posts the
> message to that queue. Otherwise, it runs the ruleset as a subroutine
> (links directly to the rulesets AST). This ensures synchronicity even
> when running on multiple threads.
>
> Rainer
>
>
> ------------------------------
>
> Message: 16
> Date: Fri, 17 Sep 2021 14:41:36 +0200
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID:
> <
> CADk+mPD54LAjSsS54cUxm44N3t_dA_pi_RPQZ7iM3qf8OGgnnw@mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> David,
>
> I reconsidered your point and am currently having a more in-depth
> look. Maybe something is indeed fishy... Just for everyone's info.
> Will post more when I know more ;-)
>
> Rainer
>
> El vie, 17 sept 2021 a las 11:21, Rainer Gerhards
> (<rgerhards@hq.adiscon.com>) escribi?:
> >
> > > the issue is that throughout the documentation, we say that not
> specifying a
> > > queue is the same as specifying a queue type of direct. In this case,
> it's not.
> >
> > no, no!
> >
> > All is right, except that the "call" statement calling a ruleset async
> > even when only a queue type direct is set.
> >
> > Behaviour of queues is as it always was, and direct does not de-couple.
> >
> > It is "call" which is executed on a different thread when we detect
> > queue parameters on a ruleset. Anything else is correct. This can be
> > clarified here:
> >
> > https://www.rsyslog.com/doc/master/rainerscript/rainerscript_call.html
> >
> > but nowhere else!
> >
> > Tech details: if call detects a queue on the ruleset, it posts the
> > message to that queue. Otherwise, it runs the ruleset as a subroutine
> > (links directly to the rulesets AST). This ensures synchronicity even
> > when running on multiple threads.
> >
> > Rainer
>
>
> ------------------------------
>
> Message: 17
> Date: Fri, 17 Sep 2021 15:50:25 +0100
> From: rking@abbyking.co.uk
> To: rsyslog@lists.adiscon.com
> Subject: [rsyslog] Create Cry key
> Message-ID:
> <1d57c48b-8413-2be4-46a5-9894a6371d5e@ultrasecure-it.co.uk>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Hi,
>
> How do you create a cry key for use in rsyslog?
>
> The rscrytool utility seems to no longer available.
>
> Thank you.
>
>
>
> ------------------------------
>
> Message: 18
> Date: Fri, 17 Sep 2021 16:53:24 +0200
> From: Mariusz Kruk <kruk@epsilon.eu.org>
> To: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] Create Cry key
> Message-ID: <de703ab7-230b-d45e-ab23-fcd24b57eff2@epsilon.eu.org>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> man rscryutil :-)
>
> On 17.09.2021 16:50, Richard King via rsyslog wrote:
> > Hi,
> >
> > How do you create a cry key for use in rsyslog?
> >
> > The rscrytool utility seems to no longer available.
> >
> > Thank you.
> >
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> > if you DON'T LIKE THAT.
>
>
> ------------------------------
>
> Message: 19
> Date: Fri, 17 Sep 2021 19:18:05 +0200
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Message modification in DIRECT Queues have
> different semantics when using with rulesets vs actions
> Message-ID:
> <CADk+mPBb0-CLqrkp36d1e=j8Z=d9beU0pN0CkTcvq6JFJ7z=
> QA@mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> OK, actually a tougher issue than I thought. After a couple of hours
> of testing, it looks like fixing the bug is good. There was some
> potential for a very slight optimization, but I left it out as it
> would have caused quite some work to ensure that the rest of the
> engine works well (hint: testing showed it did not work without
> further changes). So I am not 100% happy, but I think this issue is
> solved. More details from commit text:
>
> https://github.com/rsyslog/rsyslog/pull/4688
>
> The call rscript statement is able to call a rule set either synchronously
> or
> asynchronously. We did this, because practice showed that both modes
> are needed. For various reasons we decided to make async
> calls if the ruleset has a queue assigned and sync if not.
>
> To know if a "queue is assigned" we just checked if queue parameters were
> given. It was overlookeded the case of someone explicitly specifying a
> "direct queue", aka "no queue". As such, queue="direct" triggered async
> calls. That in turn meant that when a write operation to a variable was
> made inside that rule set, other rulesets could or could not see the
> write. While if was often not seen, this was a data race where the
> change could also be seen by the outside.
>
> This is now fixed. No matter if queue.type="direct" is specified or
> left out, the call will always by synchronous. Any values written to
> variables will also be seen by the "outside world" in later processing
> stages.
>
> Note that this has some potential to BREAK EXISTING CONFIGURATIONS.
> We deem this acceptable because:
>
> 1. this was racy at all, so unexpected behaviour could alwas occur
> 2. it is actually unlikely that someone used the triggering conditions
> in practice. But we can not outrule this, especially when the
> configuration was auto-generated.
>
> Potential compatibility issues can be solved by defining a small
> array-memory queue on the ruleset in question instead of specifying
> direct type.
>
> Again, we expect that almost all users will never experience any
> problems. If you do, however, please let us know: we may add an
> option to re-enable the bug.
>
>
> Thanks everyone for being persistent.
>
> Rainer
>
> El vie, 17 sept 2021 a las 14:41, Rainer Gerhards
> (<rgerhards@hq.adiscon.com>) escribi?:
> >
> > David,
> >
> > I reconsidered your point and am currently having a more in-depth
> > look. Maybe something is indeed fishy... Just for everyone's info.
> > Will post more when I know more ;-)
> >
> > Rainer
> >
> > El vie, 17 sept 2021 a las 11:21, Rainer Gerhards
> > (<rgerhards@hq.adiscon.com>) escribi?:
> > >
> > > > the issue is that throughout the documentation, we say that not
> specifying a
> > > > queue is the same as specifying a queue type of direct. In this
> case, it's not.
> > >
> > > no, no!
> > >
> > > All is right, except that the "call" statement calling a ruleset async
> > > even when only a queue type direct is set.
> > >
> > > Behaviour of queues is as it always was, and direct does not de-couple.
> > >
> > > It is "call" which is executed on a different thread when we detect
> > > queue parameters on a ruleset. Anything else is correct. This can be
> > > clarified here:
> > >
> > > https://www.rsyslog.com/doc/master/rainerscript/rainerscript_call.html
> > >
> > > but nowhere else!
> > >
> > > Tech details: if call detects a queue on the ruleset, it posts the
> > > message to that queue. Otherwise, it runs the ruleset as a subroutine
> > > (links directly to the rulesets AST). This ensures synchronicity even
> > > when running on multiple threads.
> > >
> > > Rainer
>
>
> ------------------------------
>
> Message: 20
> Date: Thu, 23 Sep 2021 15:08:42 +0100
> From: rking@abbyking.co.uk
> To: rsyslog@lists.adiscon.com
> Subject: [rsyslog] rscryutil not always able to decrypt log
> Message-ID:
> <a9a8b79d-08f7-4d1c-c114-f18c968e0270@ultrasecure-it.co.uk>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> ?Hi,
>
> I have created a basic 16 char key with rscryutil and used it to encrypt
> a log.
>
> First time I used the key with rscryutil to decrypt the log it works,
> after that it doesn't decrypt the same log if I try it again later after
> the log has grown in size.
>
> I have no warning or error messages in /var/log/messages to indicate
> what is wrong. System is standard CentOS 7 and rsyslog version:
> rsyslogd 8.24.0-57.el7_9.1, compiled with:
> ??? PLATFORM:??? ??? ??? ??? x86_64-redhat-linux-gnu
> ??? PLATFORM (lsb_release -d):
> ??? FEATURE_REGEXP:??? ??? ??? ??? Yes
> ??? GSSAPI Kerberos 5 support:??? ??? Yes
> ??? FEATURE_DEBUG (debug build, slow code):??? No
> ??? 32bit Atomic operations supported:??? Yes
> ??? 64bit Atomic operations supported:??? Yes
> ??? memory allocator:??? ??? ??? system default
> ??? Runtime Instrumentation (slow code):??? No
> ??? uuid support:??? ??? ??? ??? Yes
> ??? Number of Bits in RainerScript integers: 64
>
> Is there another step I need to take, please?
>
> Thank you.
>
> Regards,
>
> Richard.
>
>
>
>
> ------------------------------
>
> Message: 21
> Date: Thu, 23 Sep 2021 23:21:27 +0200
> From: Andrea Monaco <andrea.monaco@autistici.org>
> To: rsyslog@lists.adiscon.com
> Subject: [rsyslog] could not load module 'imklog'
> Message-ID: <87wnn7c7jc.fsf@autistici.org>
> Content-Type: text/plain
>
>
> Hello,
>
>
> on a GNU/Hurd system I get the following message during boot (more or
> less, copied by hand):
>
>
> rsyslogd: could not load module 'imklog'. errors: trying to load module
> /usr/lib/i386-gnu/rsyslog/imklog.so:
> /usr/lib/i386-gnu/rsyslog/imklog.so: undefined symbol:
> klogWillRunPrePrivDrop [v 8.39.0 try http://www.rsyslog.com/e/2066]
>
>
> The file imklog.so is present, but as the message says, the symbol
> klogWillRunPrePrivDrop is marked as U (undefined) by "nm -D imklog.so".
>
> Any suggestion, save rebuilding the program from source that I will try
> anyway when I have some time?
>
>
>
> Thanks,
>
> Andrea Monaco
>
>
> ------------------------------
>
> Message: 22
> Date: Mon, 27 Sep 2021 15:34:39 +0200
> From: Andrea Monaco <andrea.monaco@autistici.org>
> To: rsyslog@lists.adiscon.com
> Subject: [rsyslog] Missing PATH_MAX and MAXPATHLEN on GNU/Hurd
> Message-ID: <87sfxqjg5s.fsf@autistici.org>
> Content-Type: text/plain
>
>
> Hello,
>
>
> on my GNU/Hurd system, running make on rsyslog-8.2108.0 fails, after a
> successful configure, because of undefined PATH_MAX and MAXPATHLEN.
>
> GNU/Hurd doesn't use such macros, by design choice, to avoid imposing
> arbitrary limits. Also note that POSIX allows those macros, but doesn't
> require them.
>
> Additionally, many common uses of PATH_MAX and similar are incorrect:
> for example, the Linux kernel does not really enforce a limit on path
> lengths, but only on paths to be passed to certain system calls; see
> https://insanecoding.blogspot.com/2007/11/pathmax-simply-isnt.html for
> example.
>
>
> Perhaps rsyslog could detect missing PATH_MAX at configure time, but
> that's not really a solution; I think the only option is to avoid its
> use entirely, resorting to dinamically allocated buffers instead.
>
> I could try that, as there are few instances to replace in rsyslog tree.
>
>
>
> Let me know,
>
> Andrea Monaco
>
>
> ------------------------------
>
> Message: 23
> Date: Tue, 28 Sep 2021 09:34:37 +0200
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Missing PATH_MAX and MAXPATHLEN on GNU/Hurd
> Message-ID:
> <CADk+mPBbFqT=5zhi0qxL=
> 7yQtOQRPv611W_joqyYK6fjTSNmWA@mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Can you let me know where the build fails? We are well aware of the
> PATH_MAX issue and have avoided it at most places as well as mitigated
> at others. So this looks like it went overlooked. Smells a bit like
> imfile, but I would like to know for sure before applying patches.
>
> Thx,
> Rainer
>
> El lun, 27 sept 2021 a las 15:34, Andrea Monaco via rsyslog
> (<rsyslog@lists.adiscon.com>) escribi?:
> >
> >
> > Hello,
> >
> >
> > on my GNU/Hurd system, running make on rsyslog-8.2108.0 fails, after a
> > successful configure, because of undefined PATH_MAX and MAXPATHLEN.
> >
> > GNU/Hurd doesn't use such macros, by design choice, to avoid imposing
> > arbitrary limits. Also note that POSIX allows those macros, but doesn't
> > require them.
> >
> > Additionally, many common uses of PATH_MAX and similar are incorrect:
> > for example, the Linux kernel does not really enforce a limit on path
> > lengths, but only on paths to be passed to certain system calls; see
> > https://insanecoding.blogspot.com/2007/11/pathmax-simply-isnt.html for
> > example.
> >
> >
> > Perhaps rsyslog could detect missing PATH_MAX at configure time, but
> > that's not really a solution; I think the only option is to avoid its
> > use entirely, resorting to dinamically allocated buffers instead.
> >
> > I could try that, as there are few instances to replace in rsyslog tree.
> >
> >
> >
> > Let me know,
> >
> > Andrea Monaco
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
>
> ------------------------------
>
> Message: 24
> Date: Tue, 28 Sep 2021 17:53:42 +0200
> From: Andrea Monaco <andrea.monaco@autistici.org>
> To: rgerhards@hq.adiscon.com
> Cc: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] Missing PATH_MAX and MAXPATHLEN on GNU/Hurd
> Message-ID: <87sfxolmrd.fsf@autistici.org>
> Content-Type: text/plain
>
>
> > Can you let me know where the build fails?
>
> Sure, here's the relevant part of my make output.
>
>
> Thanks,
> Andrea
>
>
>
> Making all in runtime
> make[2]: Entering directory '/root/rsyslog-8.2108.0/runtime'
> CC librsyslog_la-modules.lo
> In file included from syslogd-types.h:29,
> from obj-types.h:31,
> from debug.h:27,
> from rsyslog.h:739,
> from modules.c:56:
> modules.c: In function 'Load':
> modules.c:53:19: error: 'PATH_MAX' undeclared (first use in this function)
> 53 | # define PATH_MAX MAXPATHLEN
> | ^~~~~~~~~~
> modules.c:1105:16: note: in expansion of macro 'PATH_MAX'
> 1105 | uchar pathBuf[PATH_MAX+1];
> | ^~~~~~~~
> modules.c:53:19: note: each undeclared identifier is reported only once
> for each function it appears in
> 53 | # define PATH_MAX MAXPATHLEN
> | ^~~~~~~~~~
> modules.c:1105:16: note: in expansion of macro 'PATH_MAX'
> 1105 | uchar pathBuf[PATH_MAX+1];
> | ^~~~~~~~
> modules.c:1105:8: warning: unused variable 'pathBuf' [-Wunused-variable]
> 1105 | uchar pathBuf[PATH_MAX+1];
> | ^~~~~~~
>
>
>
>
> ------------------------------
>
> Message: 25
> Date: Wed, 29 Sep 2021 08:36:02 +0200
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> To: Andrea Monaco <andrea.monaco@autistici.org>
> Cc: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Missing PATH_MAX and MAXPATHLEN on GNU/Hurd
> Message-ID:
> <CADk+mPAMkuXO1ZDrRHPOYBReM2v0DK3Trw1hO_3Rcrt=
> w6eedw@mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> I would appreciate if you could apply the patch from
>
> https://github.com/rsyslog/rsyslog/pull/4701
>
> and let me know the outcome.
>
> Thx,
> Rainer
>
> El mar, 28 sept 2021 a las 17:53, Andrea Monaco
> (<andrea.monaco@autistici.org>) escribi?:
> >
> >
> > > Can you let me know where the build fails?
> >
> > Sure, here's the relevant part of my make output.
> >
> >
> > Thanks,
> > Andrea
> >
> >
> >
> > Making all in runtime
> > make[2]: Entering directory '/root/rsyslog-8.2108.0/runtime'
> > CC librsyslog_la-modules.lo
> > In file included from syslogd-types.h:29,
> > from obj-types.h:31,
> > from debug.h:27,
> > from rsyslog.h:739,
> > from modules.c:56:
> > modules.c: In function 'Load':
> > modules.c:53:19: error: 'PATH_MAX' undeclared (first use in this
> function)
> > 53 | # define PATH_MAX MAXPATHLEN
> > | ^~~~~~~~~~
> > modules.c:1105:16: note: in expansion of macro 'PATH_MAX'
> > 1105 | uchar pathBuf[PATH_MAX+1];
> > | ^~~~~~~~
> > modules.c:53:19: note: each undeclared identifier is reported only once
> for each function it appears in
> > 53 | # define PATH_MAX MAXPATHLEN
> > | ^~~~~~~~~~
> > modules.c:1105:16: note: in expansion of macro 'PATH_MAX'
> > 1105 | uchar pathBuf[PATH_MAX+1];
> > | ^~~~~~~~
> > modules.c:1105:8: warning: unused variable 'pathBuf' [-Wunused-variable]
> > 1105 | uchar pathBuf[PATH_MAX+1];
> > | ^~~~~~~
> >
> >
>
>
> ------------------------------
>
> Message: 26
> Date: Wed, 29 Sep 2021 11:45:38 +0200
> From: silver-spirit@gmx.de
> To: rsyslog@lists.adiscon.com
> Subject: [rsyslog] Disable user Login messages
> Message-ID:
>
> <trinity-51cdc284-b565-4649-9528-6d69d1cfef14-1632908738385@3c-app-gmx-bap27
> >
>
> Content-Type: text/plain; charset="UTF-8"
>
>
>
> ------------------------------
>
> Message: 27
> Date: Wed, 29 Sep 2021 18:11:36 +0200
> From: Andrea Monaco <andrea.monaco@autistici.org>
> To: rgerhards@hq.adiscon.com
> Cc: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] Missing PATH_MAX and MAXPATHLEN on GNU/Hurd
> Message-ID: <87sfxn5pl3.fsf@autistici.org>
> Content-Type: text/plain
>
>
> > I would appreciate if you could apply the patch from
> > https://github.com/rsyslog/rsyslog/pull/4701 and let me know the
> > outcome.
>
>
> Now it builds, installs and runs.
>
>
>
> Thanks,
>
> Andrea
>
>
> ------------------------------
>
> Message: 28
> Date: Wed, 29 Sep 2021 12:16:48 -0400
> From: Saint Michael <venefax@gmail.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: [rsyslog] UNSUSCRIBE
> Message-ID:
> <
> CAC9cSOAwoBco7JHEKGgQU1GjTfOgkLcwRm2XPvttajoVg5p3Rg@mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> UNSUSCRIBE
>
>
> ------------------------------
>
> Message: 29
> Date: Tue, 5 Oct 2021 15:58:07 -0400
> From: "Derek Atkins" <derek@ihtfp.com>
> To: rsyslog@lists.adiscon.com
> Subject: [rsyslog] RSyslog thinks my machine's hostname is
> "127.0.0.1"?
> Message-ID:
> <3745d609eddba02c9c1d88f978c32323.squirrel@mail2.ihtfp.org>
> Content-Type: text/plain;charset=utf-8
>
> Hi,
>
> I'm using rsyslog in a BuildRoot environment. I've built it on two
> different platforms (nios2 and arm). The Nios2 platform works great.
> However, on the Arm platform, rsyslog seems to think the local hostname is
> "127.0.0.1". Why do I think that? Well, /var/log/messages contains:
>
> Oct 5 19:34:25 127 syslog: [origin software="rsyslogd"
> swVersion="8.2010.0" x-pid="8080" x-info="https://www.rsyslog.com"] start
>
> Notice the "127" in there? That's where the "hostname" is supposed to be.
> So if for some reason it thinks the FQDN is an IP address, that would
> explain why this is doing that. But that's weird, because:
>
> # hostname
> arm-host
>
> Moreover, if I compile and run the code to execute a "gethostbyname()" it
> also returns "arm-host". So I have no idea where it's getting the idea
> that the hostname/FQDN is an IP Address.
>
> I'll note that on the Nios2 this works as expected:
>
> Sep 30 19:28:41 nios2 rsyslogd: [origin software="rsyslogd"
> swVersion="8.2010.0" x-pid="830" x-info="https://www.rsyslog.com"] start
>
> I'll say this is the same version of rsyslog on both systems, built with
> the same sources, and (ostensibly) with the same build-time, and
> definitely the same run-time configurations.
>
> I'm just at a loss for why rsyslog might be doing this, and I'm not sure
> where else to look.
>
> So I'm hoping you experts might be able to help me?
>
> Thanks!
>
> -derek
>
> --
> Derek Atkins 617-623-3745
> derek@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
>
>
> ------------------------------
>
> Message: 30
> Date: Tue, 5 Oct 2021 20:28:34 -0400
> From: "Derek Atkins" <derek@ihtfp.com>
> To: "David Lang" <david@lang.hm>
> Cc: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> "127.0.0.1"?
> Message-ID:
> <0d9c69640c500a619819fd4b9cd78ac7.squirrel@mail2.ihtfp.org>
> Content-Type: text/plain;charset=utf-8
>
> Hi,
>
> Thank you for the quick response.
>
> The logging here is all done locally, and the issue is in EVERY log
> message. The source is local (a call to vsyslog() in an application), or
> even just a call to "logger". Here is the resulting log message from
> rsyslogd starting up:
>
> Debug line with all properties:
> FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127', PRI: 46,
> syslogtag 'syslog:', programname: 'syslog', APP-NAME: 'syslog', PROCID:
> '-', MSGID: '-',
> TIMESTAMP: 'Oct 6 00:14:18', STRUCTURED-DATA: '-',
> msg: ' [origin software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> x-info="https://www.rsyslog.com"] start'
> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> x-pid="17368" x-info="https://www.rsyslog.com"] start'
> inputname: imuxsock rawmsg: '<46>Oct 6 00:14:18 syslog: [origin
> software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> x-info="https://www.rsyslog.com"] start'
> $!:
> $.:
> $/:
>
> So... no clue where "FROMHOST" or "HOSTNAME" are coming from here, but my
> guess that's the problem?
>
> I can run the same config on the nios2 if you want to see what it says,
> but my guess is that FROMHOST and HOSTNAME are going to both be "nios2"
> instead of "127".
>
> The contents of /etc/hosts is effectively the same on both machines (the
> one that works correctly and this one).
>
> Thanks,
>
> -derek
>
> On Tue, October 5, 2021 6:16 pm, David Lang wrote:
> > please log with the template RSYSLOG_DebugFormat so that we can see
> > exactly what
> > rsyslog is being sent for a problem message.
> >
> > David Lang
> >
> > On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:
> >
> >> Date: Tue, 5 Oct 2021 15:58:07 -0400
> >> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >> To: rsyslog@lists.adiscon.com
> >> Cc: Derek Atkins <derek@ihtfp.com>
> >> Subject: [rsyslog] RSyslog thinks my machine's hostname is "127.0.0.1"?
> >>
> >> Hi,
> >>
> >> I'm using rsyslog in a BuildRoot environment. I've built it on two
> >> different platforms (nios2 and arm). The Nios2 platform works great.
> >> However, on the Arm platform, rsyslog seems to think the local hostname
> >> is
> >> "127.0.0.1". Why do I think that? Well, /var/log/messages contains:
> >>
> >> Oct 5 19:34:25 127 syslog: [origin software="rsyslogd"
> >> swVersion="8.2010.0" x-pid="8080" x-info="https://www.rsyslog.com"]
> >> start
> >>
> >> Notice the "127" in there? That's where the "hostname" is supposed to
> >> be.
> >> So if for some reason it thinks the FQDN is an IP address, that would
> >> explain why this is doing that. But that's weird, because:
> >>
> >> # hostname
> >> arm-host
> >>
> >> Moreover, if I compile and run the code to execute a "gethostbyname()"
> >> it
> >> also returns "arm-host". So I have no idea where it's getting the idea
> >> that the hostname/FQDN is an IP Address.
> >>
> >> I'll note that on the Nios2 this works as expected:
> >>
> >> Sep 30 19:28:41 nios2 rsyslogd: [origin software="rsyslogd"
> >> swVersion="8.2010.0" x-pid="830" x-info="https://www.rsyslog.com"]
> start
> >>
> >> I'll say this is the same version of rsyslog on both systems, built with
> >> the same sources, and (ostensibly) with the same build-time, and
> >> definitely the same run-time configurations.
> >>
> >> I'm just at a loss for why rsyslog might be doing this, and I'm not sure
> >> where else to look.
> >>
> >> So I'm hoping you experts might be able to help me?
> >>
> >> Thanks!
> >>
> >> -derek
> >>
> >>
> >
>
>
> --
> Derek Atkins 617-623-3745
> derek@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
>
>
> ------------------------------
>
> Message: 31
> Date: Tue, 5 Oct 2021 17:52:54 -0700 (PDT)
> From: David Lang <david@lang.hm>
> To: Derek Atkins <derek@ihtfp.com>
> Cc: David Lang <david@lang.hm>, rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> "127.0.0.1"?
> Message-ID: <qp816s3-77s8-3720-56sr-2p39n557rq3n@ynat.uz>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> what is in /etc/hosts and what do you get if you run the command hostname?
>
> rsyslog gets fromhost by doing a name lookup of the fromhost-ip
>
> the log message you received (as seen by the rawmsg: section) does not
> provide a
> hostname (which could have been the problem)
>
> so based on this, the problem is with name resolution, which should start
> with
> /etc/hosts and hostname
>
> David Lang
>
> On Tue, 5 Oct 2021, Derek Atkins wrote:
>
> > Date: Tue, 5 Oct 2021 20:28:34 -0400
> > From: Derek Atkins <derek@ihtfp.com>
> > To: David Lang <david@lang.hm>
> > Cc: rsyslog@lists.adiscon.com
> > Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> "127.0.0.1"?
> >
> > Hi,
> >
> > Thank you for the quick response.
> >
> > The logging here is all done locally, and the issue is in EVERY log
> > message. The source is local (a call to vsyslog() in an application), or
> > even just a call to "logger". Here is the resulting log message from
> > rsyslogd starting up:
> >
> > Debug line with all properties:
> > FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127', PRI: 46,
> > syslogtag 'syslog:', programname: 'syslog', APP-NAME: 'syslog', PROCID:
> > '-', MSGID: '-',
> > TIMESTAMP: 'Oct 6 00:14:18', STRUCTURED-DATA: '-',
> > msg: ' [origin software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> > x-info="https://www.rsyslog.com"] start'
> > escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> > x-pid="17368" x-info="https://www.rsyslog.com"] start'
> > inputname: imuxsock rawmsg: '<46>Oct 6 00:14:18 syslog: [origin
> > software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> > x-info="https://www.rsyslog.com"] start'
> > $!:
> > $.:
> > $/:
> >
> > So... no clue where "FROMHOST" or "HOSTNAME" are coming from here, but my
> > guess that's the problem?
> >
> > I can run the same config on the nios2 if you want to see what it says,
> > but my guess is that FROMHOST and HOSTNAME are going to both be "nios2"
> > instead of "127".
> >
> > The contents of /etc/hosts is effectively the same on both machines (the
> > one that works correctly and this one).
> >
> > Thanks,
> >
> > -derek
> >
> > On Tue, October 5, 2021 6:16 pm, David Lang wrote:
> >> please log with the template RSYSLOG_DebugFormat so that we can see
> >> exactly what
> >> rsyslog is being sent for a problem message.
> >>
> >> David Lang
> >>
> >> On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:
> >>
> >>> Date: Tue, 5 Oct 2021 15:58:07 -0400
> >>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >>> To: rsyslog@lists.adiscon.com
> >>> Cc: Derek Atkins <derek@ihtfp.com>
> >>> Subject: [rsyslog] RSyslog thinks my machine's hostname is "127.0.0.1"?
> >>>
> >>> Hi,
> >>>
> >>> I'm using rsyslog in a BuildRoot environment. I've built it on two
> >>> different platforms (nios2 and arm). The Nios2 platform works great.
> >>> However, on the Arm platform, rsyslog seems to think the local hostname
> >>> is
> >>> "127.0.0.1". Why do I think that? Well, /var/log/messages contains:
> >>>
> >>> Oct 5 19:34:25 127 syslog: [origin software="rsyslogd"
> >>> swVersion="8.2010.0" x-pid="8080" x-info="https://www.rsyslog.com"]
> >>> start
> >>>
> >>> Notice the "127" in there? That's where the "hostname" is supposed to
> >>> be.
> >>> So if for some reason it thinks the FQDN is an IP address, that would
> >>> explain why this is doing that. But that's weird, because:
> >>>
> >>> # hostname
> >>> arm-host
> >>>
> >>> Moreover, if I compile and run the code to execute a "gethostbyname()"
> >>> it
> >>> also returns "arm-host". So I have no idea where it's getting the idea
> >>> that the hostname/FQDN is an IP Address.
> >>>
> >>> I'll note that on the Nios2 this works as expected:
> >>>
> >>> Sep 30 19:28:41 nios2 rsyslogd: [origin software="rsyslogd"
> >>> swVersion="8.2010.0" x-pid="830" x-info="https://www.rsyslog.com"]
> start
> >>>
> >>> I'll say this is the same version of rsyslog on both systems, built
> with
> >>> the same sources, and (ostensibly) with the same build-time, and
> >>> definitely the same run-time configurations.
> >>>
> >>> I'm just at a loss for why rsyslog might be doing this, and I'm not
> sure
> >>> where else to look.
> >>>
> >>> So I'm hoping you experts might be able to help me?
> >>>
> >>> Thanks!
> >>>
> >>> -derek
> >>>
> >>>
> >>
> >
> >
> >
>
>
> ------------------------------
>
> Message: 32
> Date: Tue, 5 Oct 2021 21:13:28 -0400
> From: "Derek Atkins" <derek@ihtfp.com>
> To: "David Lang" <david@lang.hm>
> Cc: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> "127.0.0.1"?
> Message-ID:
> <bc80ef0b9d7d6ab162810f38f59b63d8.squirrel@mail2.ihtfp.org>
> Content-Type: text/plain;charset=utf-8
>
> As I said in my OP:
>
> # hostname
> arm-host
>
> and from this query:
>
> # cat /etc/hosts
> 127.0.0.1 localhost
> 127.0.1.1 arm-host
>
>
> However, as I also stated in my OP, I another another machine on a nios2
> with the exact same configuration and there the log messages say the
> correct hostname.
>
> -derek
>
> On Tue, October 5, 2021 8:52 pm, David Lang wrote:
> > what is in /etc/hosts and what do you get if you run the command
> hostname?
> >
> > rsyslog gets fromhost by doing a name lookup of the fromhost-ip
> >
> > the log message you received (as seen by the rawmsg: section) does not
> > provide a
> > hostname (which could have been the problem)
> >
> > so based on this, the problem is with name resolution, which should start
> > with
> > /etc/hosts and hostname
> >
> > David Lang
> >
> > On Tue, 5 Oct 2021, Derek Atkins wrote:
> >
> >> Date: Tue, 5 Oct 2021 20:28:34 -0400
> >> From: Derek Atkins <derek@ihtfp.com>
> >> To: David Lang <david@lang.hm>
> >> Cc: rsyslog@lists.adiscon.com
> >> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> >> "127.0.0.1"?
> >>
> >> Hi,
> >>
> >> Thank you for the quick response.
> >>
> >> The logging here is all done locally, and the issue is in EVERY log
> >> message. The source is local (a call to vsyslog() in an application),
> >> or
> >> even just a call to "logger". Here is the resulting log message from
> >> rsyslogd starting up:
> >>
> >> Debug line with all properties:
> >> FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127', PRI: 46,
> >> syslogtag 'syslog:', programname: 'syslog', APP-NAME: 'syslog', PROCID:
> >> '-', MSGID: '-',
> >> TIMESTAMP: 'Oct 6 00:14:18', STRUCTURED-DATA: '-',
> >> msg: ' [origin software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >> x-info="https://www.rsyslog.com"] start'
> >> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >> x-pid="17368" x-info="https://www.rsyslog.com"] start'
> >> inputname: imuxsock rawmsg: '<46>Oct 6 00:14:18 syslog: [origin
> >> software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >> x-info="https://www.rsyslog.com"] start'
> >> $!:
> >> $.:
> >> $/:
> >>
> >> So... no clue where "FROMHOST" or "HOSTNAME" are coming from here, but
> >> my
> >> guess that's the problem?
> >>
> >> I can run the same config on the nios2 if you want to see what it says,
> >> but my guess is that FROMHOST and HOSTNAME are going to both be "nios2"
> >> instead of "127".
> >>
> >> The contents of /etc/hosts is effectively the same on both machines (the
> >> one that works correctly and this one).
> >>
> >> Thanks,
> >>
> >> -derek
> >>
> >> On Tue, October 5, 2021 6:16 pm, David Lang wrote:
> >>> please log with the template RSYSLOG_DebugFormat so that we can see
> >>> exactly what
> >>> rsyslog is being sent for a problem message.
> >>>
> >>> David Lang
> >>>
> >>> On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:
> >>>
> >>>> Date: Tue, 5 Oct 2021 15:58:07 -0400
> >>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >>>> To: rsyslog@lists.adiscon.com
> >>>> Cc: Derek Atkins <derek@ihtfp.com>
> >>>> Subject: [rsyslog] RSyslog thinks my machine's hostname is
> >>>> "127.0.0.1"?
> >>>>
> >>>> Hi,
> >>>>
> >>>> I'm using rsyslog in a BuildRoot environment. I've built it on two
> >>>> different platforms (nios2 and arm). The Nios2 platform works great.
> >>>> However, on the Arm platform, rsyslog seems to think the local
> >>>> hostname
> >>>> is
> >>>> "127.0.0.1". Why do I think that? Well, /var/log/messages contains:
> >>>>
> >>>> Oct 5 19:34:25 127 syslog: [origin software="rsyslogd"
> >>>> swVersion="8.2010.0" x-pid="8080" x-info="https://www.rsyslog.com"]
> >>>> start
> >>>>
> >>>> Notice the "127" in there? That's where the "hostname" is supposed to
> >>>> be.
> >>>> So if for some reason it thinks the FQDN is an IP address, that would
> >>>> explain why this is doing that. But that's weird, because:
> >>>>
> >>>> # hostname
> >>>> arm-host
> >>>>
> >>>> Moreover, if I compile and run the code to execute a "gethostbyname()"
> >>>> it
> >>>> also returns "arm-host". So I have no idea where it's getting the
> >>>> idea
> >>>> that the hostname/FQDN is an IP Address.
> >>>>
> >>>> I'll note that on the Nios2 this works as expected:
> >>>>
> >>>> Sep 30 19:28:41 nios2 rsyslogd: [origin software="rsyslogd"
> >>>> swVersion="8.2010.0" x-pid="830" x-info="https://www.rsyslog.com"]
> >>>> start
> >>>>
> >>>> I'll say this is the same version of rsyslog on both systems, built
> >>>> with
> >>>> the same sources, and (ostensibly) with the same build-time, and
> >>>> definitely the same run-time configurations.
> >>>>
> >>>> I'm just at a loss for why rsyslog might be doing this, and I'm not
> >>>> sure
> >>>> where else to look.
> >>>>
> >>>> So I'm hoping you experts might be able to help me?
> >>>>
> >>>> Thanks!
> >>>>
> >>>> -derek
> >>>>
> >>>>
> >>>
> >>
> >>
> >>
> >
>
>
> --
> Derek Atkins 617-623-3745
> derek@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
>
>
> ------------------------------
>
> Message: 33
> Date: Wed, 6 Oct 2021 08:36:56 -0400
> From: "Derek Atkins" <derek@ihtfp.com>
> To: "rsyslog-users" <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> "127.0.0.1"?
> Message-ID:
> <0a057d0efb23c557d593e8371f7e320f.squirrel@mail2.ihtfp.org>
> Content-Type: text/plain;charset=utf-8
>
> Good morning,
>
> Thank you for your help so far.
>
> I just wanted to add one more piece of data, on my other host (compiled in
> the same way from the same source in the same BuildRoot manner, but on a
> different platform), I get what I would expect:
>
> Debug line with all properties:
> FROMHOST: 'nios2', fromhost-ip: '127.0.0.1', HOSTNAME: 'nios2', PRI: 46,
> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
> PROCID: '-', MSGID: '-',
> TIMESTAMP: 'Oct 6 12:27:44', STRUCTURED-DATA: '-',
> msg: ' [origin software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> x-info="https://www.rsyslog.com"] start'
> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> x-pid="1780" x-info="https://www.rsyslog.com"] start'
> inputname: imuxsock rawmsg: '<46>Oct 6 12:27:44 rsyslogd: [origin
> software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> x-info="https://www.rsyslog.com"] start'
> $!:
> $.:
> $/:
>
> So ... FROMHOST and HOSTNAME are clearly correct here. So I guess my
> question is, what APIs are rsyslogd using to try to obtain this
> information? I can certainly compile additional test code and run it if
> necessary. I just find it odd that the *host* knows its name but rsyslogd
> can't figure it out?
>
> Actually, looking a little closer, I noticed that I'm using uclibc on the
> arm platform (the broken one), but glibc on the nios2. I wonder if this
> is the issue?
>
> -derek
>
> On Tue, October 5, 2021 9:13 pm, Derek Atkins via rsyslog wrote:
> > As I said in my OP:
> >
> > # hostname
> > arm-host
> >
> > and from this query:
> >
> > # cat /etc/hosts
> > 127.0.0.1 localhost
> > 127.0.1.1 arm-host
> >
> >
> > However, as I also stated in my OP, I another another machine on a nios2
> > with the exact same configuration and there the log messages say the
> > correct hostname.
> >
> > -derek
> >
> > On Tue, October 5, 2021 8:52 pm, David Lang wrote:
> >> what is in /etc/hosts and what do you get if you run the command
> >> hostname?
> >>
> >> rsyslog gets fromhost by doing a name lookup of the fromhost-ip
> >>
> >> the log message you received (as seen by the rawmsg: section) does not
> >> provide a
> >> hostname (which could have been the problem)
> >>
> >> so based on this, the problem is with name resolution, which should
> >> start
> >> with
> >> /etc/hosts and hostname
> >>
> >> David Lang
> >>
> >> On Tue, 5 Oct 2021, Derek Atkins wrote:
> >>
> >>> Date: Tue, 5 Oct 2021 20:28:34 -0400
> >>> From: Derek Atkins <derek@ihtfp.com>
> >>> To: David Lang <david@lang.hm>
> >>> Cc: rsyslog@lists.adiscon.com
> >>> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> >>> "127.0.0.1"?
> >>>
> >>> Hi,
> >>>
> >>> Thank you for the quick response.
> >>>
> >>> The logging here is all done locally, and the issue is in EVERY log
> >>> message. The source is local (a call to vsyslog() in an application),
> >>> or
> >>> even just a call to "logger". Here is the resulting log message from
> >>> rsyslogd starting up:
> >>>
> >>> Debug line with all properties:
> >>> FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127', PRI: 46,
> >>> syslogtag 'syslog:', programname: 'syslog', APP-NAME: 'syslog', PROCID:
> >>> '-', MSGID: '-',
> >>> TIMESTAMP: 'Oct 6 00:14:18', STRUCTURED-DATA: '-',
> >>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >>> x-info="https://www.rsyslog.com"] start'
> >>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>> x-pid="17368" x-info="https://www.rsyslog.com"] start'
> >>> inputname: imuxsock rawmsg: '<46>Oct 6 00:14:18 syslog: [origin
> >>> software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >>> x-info="https://www.rsyslog.com"] start'
> >>> $!:
> >>> $.:
> >>> $/:
> >>>
> >>> So... no clue where "FROMHOST" or "HOSTNAME" are coming from here, but
> >>> my
> >>> guess that's the problem?
> >>>
> >>> I can run the same config on the nios2 if you want to see what it says,
> >>> but my guess is that FROMHOST and HOSTNAME are going to both be "nios2"
> >>> instead of "127".
> >>>
> >>> The contents of /etc/hosts is effectively the same on both machines
> >>> (the
> >>> one that works correctly and this one).
> >>>
> >>> Thanks,
> >>>
> >>> -derek
> >>>
> >>> On Tue, October 5, 2021 6:16 pm, David Lang wrote:
> >>>> please log with the template RSYSLOG_DebugFormat so that we can see
> >>>> exactly what
> >>>> rsyslog is being sent for a problem message.
> >>>>
> >>>> David Lang
> >>>>
> >>>> On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:
> >>>>
> >>>>> Date: Tue, 5 Oct 2021 15:58:07 -0400
> >>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >>>>> To: rsyslog@lists.adiscon.com
> >>>>> Cc: Derek Atkins <derek@ihtfp.com>
> >>>>> Subject: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>> "127.0.0.1"?
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>>> I'm using rsyslog in a BuildRoot environment. I've built it on two
> >>>>> different platforms (nios2 and arm). The Nios2 platform works great.
> >>>>> However, on the Arm platform, rsyslog seems to think the local
> >>>>> hostname
> >>>>> is
> >>>>> "127.0.0.1". Why do I think that? Well, /var/log/messages contains:
> >>>>>
> >>>>> Oct 5 19:34:25 127 syslog: [origin software="rsyslogd"
> >>>>> swVersion="8.2010.0" x-pid="8080" x-info="https://www.rsyslog.com"]
> >>>>> start
> >>>>>
> >>>>> Notice the "127" in there? That's where the "hostname" is supposed
> >>>>> to
> >>>>> be.
> >>>>> So if for some reason it thinks the FQDN is an IP address, that would
> >>>>> explain why this is doing that. But that's weird, because:
> >>>>>
> >>>>> # hostname
> >>>>> arm-host
> >>>>>
> >>>>> Moreover, if I compile and run the code to execute a
> >>>>> "gethostbyname()"
> >>>>> it
> >>>>> also returns "arm-host". So I have no idea where it's getting the
> >>>>> idea
> >>>>> that the hostname/FQDN is an IP Address.
> >>>>>
> >>>>> I'll note that on the Nios2 this works as expected:
> >>>>>
> >>>>> Sep 30 19:28:41 nios2 rsyslogd: [origin software="rsyslogd"
> >>>>> swVersion="8.2010.0" x-pid="830" x-info="https://www.rsyslog.com"]
> >>>>> start
> >>>>>
> >>>>> I'll say this is the same version of rsyslog on both systems, built
> >>>>> with
> >>>>> the same sources, and (ostensibly) with the same build-time, and
> >>>>> definitely the same run-time configurations.
> >>>>>
> >>>>> I'm just at a loss for why rsyslog might be doing this, and I'm not
> >>>>> sure
> >>>>> where else to look.
> >>>>>
> >>>>> So I'm hoping you experts might be able to help me?
> >>>>>
> >>>>> Thanks!
> >>>>>
> >>>>> -derek
> >>>>>
> >>>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >
> >
> > --
> > Derek Atkins 617-623-3745
> > derek@ihtfp.com www.ihtfp.com
> > Computer and Internet Security Consultant
> >
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> >
>
>
> --
> Derek Atkins 617-623-3745
> derek@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
>
>
> ------------------------------
>
> Message: 34
> Date: Wed, 6 Oct 2021 09:30:55 -0400
> From: "Derek Atkins" <derek@ihtfp.com>
> To: "rsyslog-users" <rsyslog@lists.adiscon.com>
> Subject: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's hostname
> is "127.0.0.1"?
> Message-ID:
> <6c75d6aa6f5e976b89bbaa0ece276f1a.squirrel@mail2.ihtfp.org>
> Content-Type: text/plain;charset=utf-8
>
> I just rebuilt the Arm platform with GLibc and.... syslog is working.
> So I will go and blame uclibc for the bug.
>
> Thank you for getting me to look more closely (and pointing out that the
> issue is that rsyslogd was not getting a valid hostname).
>
> Thanks all!
>
> -derek
>
> On Wed, October 6, 2021 8:36 am, Derek Atkins via rsyslog wrote:
> > Good morning,
> >
> > Thank you for your help so far.
> >
> > I just wanted to add one more piece of data, on my other host (compiled
> in
> > the same way from the same source in the same BuildRoot manner, but on a
> > different platform), I get what I would expect:
> >
> > Debug line with all properties:
> > FROMHOST: 'nios2', fromhost-ip: '127.0.0.1', HOSTNAME: 'nios2', PRI: 46,
> > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> 'rsyslogd',
> > PROCID: '-', MSGID: '-',
> > TIMESTAMP: 'Oct 6 12:27:44', STRUCTURED-DATA: '-',
> > msg: ' [origin software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> > x-info="https://www.rsyslog.com"] start'
> > escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> > x-pid="1780" x-info="https://www.rsyslog.com"] start'
> > inputname: imuxsock rawmsg: '<46>Oct 6 12:27:44 rsyslogd: [origin
> > software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> > x-info="https://www.rsyslog.com"] start'
> > $!:
> > $.:
> > $/:
> >
> > So ... FROMHOST and HOSTNAME are clearly correct here. So I guess my
> > question is, what APIs are rsyslogd using to try to obtain this
> > information? I can certainly compile additional test code and run it if
> > necessary. I just find it odd that the *host* knows its name but
> rsyslogd
> > can't figure it out?
> >
> > Actually, looking a little closer, I noticed that I'm using uclibc on the
> > arm platform (the broken one), but glibc on the nios2. I wonder if this
> > is the issue?
> >
> > -derek
> >
> > On Tue, October 5, 2021 9:13 pm, Derek Atkins via rsyslog wrote:
> >> As I said in my OP:
> >>
> >> # hostname
> >> arm-host
> >>
> >> and from this query:
> >>
> >> # cat /etc/hosts
> >> 127.0.0.1 localhost
> >> 127.0.1.1 arm-host
> >>
> >>
> >> However, as I also stated in my OP, I another another machine on a nios2
> >> with the exact same configuration and there the log messages say the
> >> correct hostname.
> >>
> >> -derek
> >>
> >> On Tue, October 5, 2021 8:52 pm, David Lang wrote:
> >>> what is in /etc/hosts and what do you get if you run the command
> >>> hostname?
> >>>
> >>> rsyslog gets fromhost by doing a name lookup of the fromhost-ip
> >>>
> >>> the log message you received (as seen by the rawmsg: section) does not
> >>> provide a
> >>> hostname (which could have been the problem)
> >>>
> >>> so based on this, the problem is with name resolution, which should
> >>> start
> >>> with
> >>> /etc/hosts and hostname
> >>>
> >>> David Lang
> >>>
> >>> On Tue, 5 Oct 2021, Derek Atkins wrote:
> >>>
> >>>> Date: Tue, 5 Oct 2021 20:28:34 -0400
> >>>> From: Derek Atkins <derek@ihtfp.com>
> >>>> To: David Lang <david@lang.hm>
> >>>> Cc: rsyslog@lists.adiscon.com
> >>>> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> >>>> "127.0.0.1"?
> >>>>
> >>>> Hi,
> >>>>
> >>>> Thank you for the quick response.
> >>>>
> >>>> The logging here is all done locally, and the issue is in EVERY log
> >>>> message. The source is local (a call to vsyslog() in an application),
> >>>> or
> >>>> even just a call to "logger". Here is the resulting log message from
> >>>> rsyslogd starting up:
> >>>>
> >>>> Debug line with all properties:
> >>>> FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127', PRI: 46,
> >>>> syslogtag 'syslog:', programname: 'syslog', APP-NAME: 'syslog',
> >>>> PROCID:
> >>>> '-', MSGID: '-',
> >>>> TIMESTAMP: 'Oct 6 00:14:18', STRUCTURED-DATA: '-',
> >>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >>>> x-info="https://www.rsyslog.com"] start'
> >>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>> x-pid="17368" x-info="https://www.rsyslog.com"] start'
> >>>> inputname: imuxsock rawmsg: '<46>Oct 6 00:14:18 syslog: [origin
> >>>> software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >>>> x-info="https://www.rsyslog.com"] start'
> >>>> $!:
> >>>> $.:
> >>>> $/:
> >>>>
> >>>> So... no clue where "FROMHOST" or "HOSTNAME" are coming from here, but
> >>>> my
> >>>> guess that's the problem?
> >>>>
> >>>> I can run the same config on the nios2 if you want to see what it
> >>>> says,
> >>>> but my guess is that FROMHOST and HOSTNAME are going to both be
> >>>> "nios2"
> >>>> instead of "127".
> >>>>
> >>>> The contents of /etc/hosts is effectively the same on both machines
> >>>> (the
> >>>> one that works correctly and this one).
> >>>>
> >>>> Thanks,
> >>>>
> >>>> -derek
> >>>>
> >>>> On Tue, October 5, 2021 6:16 pm, David Lang wrote:
> >>>>> please log with the template RSYSLOG_DebugFormat so that we can see
> >>>>> exactly what
> >>>>> rsyslog is being sent for a problem message.
> >>>>>
> >>>>> David Lang
> >>>>>
> >>>>> On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:
> >>>>>
> >>>>>> Date: Tue, 5 Oct 2021 15:58:07 -0400
> >>>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >>>>>> To: rsyslog@lists.adiscon.com
> >>>>>> Cc: Derek Atkins <derek@ihtfp.com>
> >>>>>> Subject: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>>> "127.0.0.1"?
> >>>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> I'm using rsyslog in a BuildRoot environment. I've built it on two
> >>>>>> different platforms (nios2 and arm). The Nios2 platform works
> >>>>>> great.
> >>>>>> However, on the Arm platform, rsyslog seems to think the local
> >>>>>> hostname
> >>>>>> is
> >>>>>> "127.0.0.1". Why do I think that? Well, /var/log/messages
> >>>>>> contains:
> >>>>>>
> >>>>>> Oct 5 19:34:25 127 syslog: [origin software="rsyslogd"
> >>>>>> swVersion="8.2010.0" x-pid="8080" x-info="https://www.rsyslog.com"]
> >>>>>> start
> >>>>>>
> >>>>>> Notice the "127" in there? That's where the "hostname" is supposed
> >>>>>> to
> >>>>>> be.
> >>>>>> So if for some reason it thinks the FQDN is an IP address, that
> >>>>>> would
> >>>>>> explain why this is doing that. But that's weird, because:
> >>>>>>
> >>>>>> # hostname
> >>>>>> arm-host
> >>>>>>
> >>>>>> Moreover, if I compile and run the code to execute a
> >>>>>> "gethostbyname()"
> >>>>>> it
> >>>>>> also returns "arm-host". So I have no idea where it's getting the
> >>>>>> idea
> >>>>>> that the hostname/FQDN is an IP Address.
> >>>>>>
> >>>>>> I'll note that on the Nios2 this works as expected:
> >>>>>>
> >>>>>> Sep 30 19:28:41 nios2 rsyslogd: [origin software="rsyslogd"
> >>>>>> swVersion="8.2010.0" x-pid="830" x-info="https://www.rsyslog.com"]
> >>>>>> start
> >>>>>>
> >>>>>> I'll say this is the same version of rsyslog on both systems, built
> >>>>>> with
> >>>>>> the same sources, and (ostensibly) with the same build-time, and
> >>>>>> definitely the same run-time configurations.
> >>>>>>
> >>>>>> I'm just at a loss for why rsyslog might be doing this, and I'm not
> >>>>>> sure
> >>>>>> where else to look.
> >>>>>>
> >>>>>> So I'm hoping you experts might be able to help me?
> >>>>>>
> >>>>>> Thanks!
> >>>>>>
> >>>>>> -derek
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>
> >>
> >> --
> >> Derek Atkins 617-623-3745
> >> derek@ihtfp.com www.ihtfp.com
> >> Computer and Internet Security Consultant
> >>
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>
> >
> >
> > --
> > Derek Atkins 617-623-3745
> > derek@ihtfp.com www.ihtfp.com
> > Computer and Internet Security Consultant
> >
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> >
>
>
> --
> Derek Atkins 617-623-3745
> derek@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
>
>
> ------------------------------
>
> Message: 35
> Date: Wed, 6 Oct 2021 10:43:01 -0700 (PDT)
> From: David Lang <david@lang.hm>
> To: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> hostname is "127.0.0.1"?
> Message-ID: <626p7799-6s5n-929r-7n6s-4ns41371oo4@ynat.uz>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> I believe that rsyslog uses the gethostbyname() call to convert the IP to
> name
>
> it would also be interesting to create a custom templete with
> %$myhostname% in
> it and see what that returns.
>
> I'm not sure if in this case, rsyslog is seeing that there is no hostname
> in the
> message and using $myhostname (and that is wrong) or if it's trying to
> resolve
> 127.0.0.1 and that's failing (I suspect that it's the $myhostname that's
> wrong)
>
> If we can identify what's happening, we can then try to create a fix. It
> would
> be nice to support non-glibc builds
>
> David Lang
>
>
> On Wed, 6 Oct 2021, Derek Atkins via rsyslog wrote:
>
> > I just rebuilt the Arm platform with GLibc and.... syslog is working.
> > So I will go and blame uclibc for the bug.
> >
> > Thank you for getting me to look more closely (and pointing out that the
> > issue is that rsyslogd was not getting a valid hostname).
> >
> > Thanks all!
> >
> > -derek
> >
> > On Wed, October 6, 2021 8:36 am, Derek Atkins via rsyslog wrote:
> >> Good morning,
> >>
> >> Thank you for your help so far.
> >>
> >> I just wanted to add one more piece of data, on my other host (compiled
> in
> >> the same way from the same source in the same BuildRoot manner, but on a
> >> different platform), I get what I would expect:
> >>
> >> Debug line with all properties:
> >> FROMHOST: 'nios2', fromhost-ip: '127.0.0.1', HOSTNAME: 'nios2', PRI: 46,
> >> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> 'rsyslogd',
> >> PROCID: '-', MSGID: '-',
> >> TIMESTAMP: 'Oct 6 12:27:44', STRUCTURED-DATA: '-',
> >> msg: ' [origin software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> >> x-info="https://www.rsyslog.com"] start'
> >> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >> x-pid="1780" x-info="https://www.rsyslog.com"] start'
> >> inputname: imuxsock rawmsg: '<46>Oct 6 12:27:44 rsyslogd: [origin
> >> software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> >> x-info="https://www.rsyslog.com"] start'
> >> $!:
> >> $.:
> >> $/:
> >>
> >> So ... FROMHOST and HOSTNAME are clearly correct here. So I guess my
> >> question is, what APIs are rsyslogd using to try to obtain this
> >> information? I can certainly compile additional test code and run it if
> >> necessary. I just find it odd that the *host* knows its name but
> rsyslogd
> >> can't figure it out?
> >>
> >> Actually, looking a little closer, I noticed that I'm using uclibc on
> the
> >> arm platform (the broken one), but glibc on the nios2. I wonder if this
> >> is the issue?
> >>
> >> -derek
> >>
> >> On Tue, October 5, 2021 9:13 pm, Derek Atkins via rsyslog wrote:
> >>> As I said in my OP:
> >>>
> >>> # hostname
> >>> arm-host
> >>>
> >>> and from this query:
> >>>
> >>> # cat /etc/hosts
> >>> 127.0.0.1 localhost
> >>> 127.0.1.1 arm-host
> >>>
> >>>
> >>> However, as I also stated in my OP, I another another machine on a
> nios2
> >>> with the exact same configuration and there the log messages say the
> >>> correct hostname.
> >>>
> >>> -derek
> >>>
> >>> On Tue, October 5, 2021 8:52 pm, David Lang wrote:
> >>>> what is in /etc/hosts and what do you get if you run the command
> >>>> hostname?
> >>>>
> >>>> rsyslog gets fromhost by doing a name lookup of the fromhost-ip
> >>>>
> >>>> the log message you received (as seen by the rawmsg: section) does not
> >>>> provide a
> >>>> hostname (which could have been the problem)
> >>>>
> >>>> so based on this, the problem is with name resolution, which should
> >>>> start
> >>>> with
> >>>> /etc/hosts and hostname
> >>>>
> >>>> David Lang
> >>>>
> >>>> On Tue, 5 Oct 2021, Derek Atkins wrote:
> >>>>
> >>>>> Date: Tue, 5 Oct 2021 20:28:34 -0400
> >>>>> From: Derek Atkins <derek@ihtfp.com>
> >>>>> To: David Lang <david@lang.hm>
> >>>>> Cc: rsyslog@lists.adiscon.com
> >>>>> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>> "127.0.0.1"?
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>>> Thank you for the quick response.
> >>>>>
> >>>>> The logging here is all done locally, and the issue is in EVERY log
> >>>>> message. The source is local (a call to vsyslog() in an
> application),
> >>>>> or
> >>>>> even just a call to "logger". Here is the resulting log message from
> >>>>> rsyslogd starting up:
> >>>>>
> >>>>> Debug line with all properties:
> >>>>> FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127', PRI: 46,
> >>>>> syslogtag 'syslog:', programname: 'syslog', APP-NAME: 'syslog',
> >>>>> PROCID:
> >>>>> '-', MSGID: '-',
> >>>>> TIMESTAMP: 'Oct 6 00:14:18', STRUCTURED-DATA: '-',
> >>>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >>>>> x-info="https://www.rsyslog.com"] start'
> >>>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>> x-pid="17368" x-info="https://www.rsyslog.com"] start'
> >>>>> inputname: imuxsock rawmsg: '<46>Oct 6 00:14:18 syslog: [origin
> >>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >>>>> x-info="https://www.rsyslog.com"] start'
> >>>>> $!:
> >>>>> $.:
> >>>>> $/:
> >>>>>
> >>>>> So... no clue where "FROMHOST" or "HOSTNAME" are coming from here,
> but
> >>>>> my
> >>>>> guess that's the problem?
> >>>>>
> >>>>> I can run the same config on the nios2 if you want to see what it
> >>>>> says,
> >>>>> but my guess is that FROMHOST and HOSTNAME are going to both be
> >>>>> "nios2"
> >>>>> instead of "127".
> >>>>>
> >>>>> The contents of /etc/hosts is effectively the same on both machines
> >>>>> (the
> >>>>> one that works correctly and this one).
> >>>>>
> >>>>> Thanks,
> >>>>>
> >>>>> -derek
> >>>>>
> >>>>> On Tue, October 5, 2021 6:16 pm, David Lang wrote:
> >>>>>> please log with the template RSYSLOG_DebugFormat so that we can see
> >>>>>> exactly what
> >>>>>> rsyslog is being sent for a problem message.
> >>>>>>
> >>>>>> David Lang
> >>>>>>
> >>>>>> On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:
> >>>>>>
> >>>>>>> Date: Tue, 5 Oct 2021 15:58:07 -0400
> >>>>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >>>>>>> To: rsyslog@lists.adiscon.com
> >>>>>>> Cc: Derek Atkins <derek@ihtfp.com>
> >>>>>>> Subject: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>>>> "127.0.0.1"?
> >>>>>>>
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> I'm using rsyslog in a BuildRoot environment. I've built it on two
> >>>>>>> different platforms (nios2 and arm). The Nios2 platform works
> >>>>>>> great.
> >>>>>>> However, on the Arm platform, rsyslog seems to think the local
> >>>>>>> hostname
> >>>>>>> is
> >>>>>>> "127.0.0.1". Why do I think that? Well, /var/log/messages
> >>>>>>> contains:
> >>>>>>>
> >>>>>>> Oct 5 19:34:25 127 syslog: [origin software="rsyslogd"
> >>>>>>> swVersion="8.2010.0" x-pid="8080" x-info="https://www.rsyslog.com
> "]
> >>>>>>> start
> >>>>>>>
> >>>>>>> Notice the "127" in there? That's where the "hostname" is supposed
> >>>>>>> to
> >>>>>>> be.
> >>>>>>> So if for some reason it thinks the FQDN is an IP address, that
> >>>>>>> would
> >>>>>>> explain why this is doing that. But that's weird, because:
> >>>>>>>
> >>>>>>> # hostname
> >>>>>>> arm-host
> >>>>>>>
> >>>>>>> Moreover, if I compile and run the code to execute a
> >>>>>>> "gethostbyname()"
> >>>>>>> it
> >>>>>>> also returns "arm-host". So I have no idea where it's getting the
> >>>>>>> idea
> >>>>>>> that the hostname/FQDN is an IP Address.
> >>>>>>>
> >>>>>>> I'll note that on the Nios2 this works as expected:
> >>>>>>>
> >>>>>>> Sep 30 19:28:41 nios2 rsyslogd: [origin software="rsyslogd"
> >>>>>>> swVersion="8.2010.0" x-pid="830" x-info="https://www.rsyslog.com"]
> >>>>>>> start
> >>>>>>>
> >>>>>>> I'll say this is the same version of rsyslog on both systems, built
> >>>>>>> with
> >>>>>>> the same sources, and (ostensibly) with the same build-time, and
> >>>>>>> definitely the same run-time configurations.
> >>>>>>>
> >>>>>>> I'm just at a loss for why rsyslog might be doing this, and I'm not
> >>>>>>> sure
> >>>>>>> where else to look.
> >>>>>>>
> >>>>>>> So I'm hoping you experts might be able to help me?
> >>>>>>>
> >>>>>>> Thanks!
> >>>>>>>
> >>>>>>> -derek
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> Derek Atkins 617-623-3745
> >>> derek@ihtfp.com www.ihtfp.com
> >>> Computer and Internet Security Consultant
> >>>
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>> DON'T LIKE THAT.
> >>>
> >>
> >>
> >> --
> >> Derek Atkins 617-623-3745
> >> derek@ihtfp.com www.ihtfp.com
> >> Computer and Internet Security Consultant
> >>
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>
> >
> >
> >
>
>
> ------------------------------
>
> Message: 36
> Date: Wed, 6 Oct 2021 13:45:56 -0400
> From: "Derek Atkins" <derek@ihtfp.com>
> To: "David Lang" <david@lang.hm>
> Cc: "Derek Atkins via rsyslog" <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> hostname is "127.0.0.1"?
> Message-ID:
> <4f8ca02b59f05897872332196edffd30.squirrel@mail2.ihtfp.org>
> Content-Type: text/plain;charset=utf-8
>
> David,
>
> I am happy to revert back to the uclibc installation and feed you data, if
> you can give me what to copy-and-paste into my rsyslogd.conf file?
>
> -derek
>
> On Wed, October 6, 2021 1:43 pm, David Lang wrote:
> > I believe that rsyslog uses the gethostbyname() call to convert the IP to
> > name
> >
> > it would also be interesting to create a custom templete with
> > %$myhostname% in
> > it and see what that returns.
> >
> > I'm not sure if in this case, rsyslog is seeing that there is no hostname
> > in the
> > message and using $myhostname (and that is wrong) or if it's trying to
> > resolve
> > 127.0.0.1 and that's failing (I suspect that it's the $myhostname that's
> > wrong)
> >
> > If we can identify what's happening, we can then try to create a fix. It
> > would
> > be nice to support non-glibc builds
> >
> > David Lang
> >
> >
> > On Wed, 6 Oct 2021, Derek Atkins via rsyslog wrote:
> >
> >> I just rebuilt the Arm platform with GLibc and.... syslog is working.
> >> So I will go and blame uclibc for the bug.
> >>
> >> Thank you for getting me to look more closely (and pointing out that the
> >> issue is that rsyslogd was not getting a valid hostname).
> >>
> >> Thanks all!
> >>
> >> -derek
> >>
> >> On Wed, October 6, 2021 8:36 am, Derek Atkins via rsyslog wrote:
> >>> Good morning,
> >>>
> >>> Thank you for your help so far.
> >>>
> >>> I just wanted to add one more piece of data, on my other host (compiled
> >>> in
> >>> the same way from the same source in the same BuildRoot manner, but on
> >>> a
> >>> different platform), I get what I would expect:
> >>>
> >>> Debug line with all properties:
> >>> FROMHOST: 'nios2', fromhost-ip: '127.0.0.1', HOSTNAME: 'nios2', PRI:
> >>> 46,
> >>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> >>> 'rsyslogd',
> >>> PROCID: '-', MSGID: '-',
> >>> TIMESTAMP: 'Oct 6 12:27:44', STRUCTURED-DATA: '-',
> >>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> >>> x-info="https://www.rsyslog.com"] start'
> >>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>> x-pid="1780" x-info="https://www.rsyslog.com"] start'
> >>> inputname: imuxsock rawmsg: '<46>Oct 6 12:27:44 rsyslogd: [origin
> >>> software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> >>> x-info="https://www.rsyslog.com"] start'
> >>> $!:
> >>> $.:
> >>> $/:
> >>>
> >>> So ... FROMHOST and HOSTNAME are clearly correct here. So I guess my
> >>> question is, what APIs are rsyslogd using to try to obtain this
> >>> information? I can certainly compile additional test code and run it
> >>> if
> >>> necessary. I just find it odd that the *host* knows its name but
> >>> rsyslogd
> >>> can't figure it out?
> >>>
> >>> Actually, looking a little closer, I noticed that I'm using uclibc on
> >>> the
> >>> arm platform (the broken one), but glibc on the nios2. I wonder if
> >>> this
> >>> is the issue?
> >>>
> >>> -derek
> >>>
> >>> On Tue, October 5, 2021 9:13 pm, Derek Atkins via rsyslog wrote:
> >>>> As I said in my OP:
> >>>>
> >>>> # hostname
> >>>> arm-host
> >>>>
> >>>> and from this query:
> >>>>
> >>>> # cat /etc/hosts
> >>>> 127.0.0.1 localhost
> >>>> 127.0.1.1 arm-host
> >>>>
> >>>>
> >>>> However, as I also stated in my OP, I another another machine on a
> >>>> nios2
> >>>> with the exact same configuration and there the log messages say the
> >>>> correct hostname.
> >>>>
> >>>> -derek
> >>>>
> >>>> On Tue, October 5, 2021 8:52 pm, David Lang wrote:
> >>>>> what is in /etc/hosts and what do you get if you run the command
> >>>>> hostname?
> >>>>>
> >>>>> rsyslog gets fromhost by doing a name lookup of the fromhost-ip
> >>>>>
> >>>>> the log message you received (as seen by the rawmsg: section) does
> >>>>> not
> >>>>> provide a
> >>>>> hostname (which could have been the problem)
> >>>>>
> >>>>> so based on this, the problem is with name resolution, which should
> >>>>> start
> >>>>> with
> >>>>> /etc/hosts and hostname
> >>>>>
> >>>>> David Lang
> >>>>>
> >>>>> On Tue, 5 Oct 2021, Derek Atkins wrote:
> >>>>>
> >>>>>> Date: Tue, 5 Oct 2021 20:28:34 -0400
> >>>>>> From: Derek Atkins <derek@ihtfp.com>
> >>>>>> To: David Lang <david@lang.hm>
> >>>>>> Cc: rsyslog@lists.adiscon.com
> >>>>>> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>>> "127.0.0.1"?
> >>>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> Thank you for the quick response.
> >>>>>>
> >>>>>> The logging here is all done locally, and the issue is in EVERY log
> >>>>>> message. The source is local (a call to vsyslog() in an
> >>>>>> application),
> >>>>>> or
> >>>>>> even just a call to "logger". Here is the resulting log message
> >>>>>> from
> >>>>>> rsyslogd starting up:
> >>>>>>
> >>>>>> Debug line with all properties:
> >>>>>> FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127', PRI: 46,
> >>>>>> syslogtag 'syslog:', programname: 'syslog', APP-NAME: 'syslog',
> >>>>>> PROCID:
> >>>>>> '-', MSGID: '-',
> >>>>>> TIMESTAMP: 'Oct 6 00:14:18', STRUCTURED-DATA: '-',
> >>>>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>> x-pid="17368"
> >>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>> x-pid="17368" x-info="https://www.rsyslog.com"] start'
> >>>>>> inputname: imuxsock rawmsg: '<46>Oct 6 00:14:18 syslog: [origin
> >>>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>> $!:
> >>>>>> $.:
> >>>>>> $/:
> >>>>>>
> >>>>>> So... no clue where "FROMHOST" or "HOSTNAME" are coming from here,
> >>>>>> but
> >>>>>> my
> >>>>>> guess that's the problem?
> >>>>>>
> >>>>>> I can run the same config on the nios2 if you want to see what it
> >>>>>> says,
> >>>>>> but my guess is that FROMHOST and HOSTNAME are going to both be
> >>>>>> "nios2"
> >>>>>> instead of "127".
> >>>>>>
> >>>>>> The contents of /etc/hosts is effectively the same on both machines
> >>>>>> (the
> >>>>>> one that works correctly and this one).
> >>>>>>
> >>>>>> Thanks,
> >>>>>>
> >>>>>> -derek
> >>>>>>
> >>>>>> On Tue, October 5, 2021 6:16 pm, David Lang wrote:
> >>>>>>> please log with the template RSYSLOG_DebugFormat so that we can see
> >>>>>>> exactly what
> >>>>>>> rsyslog is being sent for a problem message.
> >>>>>>>
> >>>>>>> David Lang
> >>>>>>>
> >>>>>>> On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:
> >>>>>>>
> >>>>>>>> Date: Tue, 5 Oct 2021 15:58:07 -0400
> >>>>>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >>>>>>>> To: rsyslog@lists.adiscon.com
> >>>>>>>> Cc: Derek Atkins <derek@ihtfp.com>
> >>>>>>>> Subject: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>>>>> "127.0.0.1"?
> >>>>>>>>
> >>>>>>>> Hi,
> >>>>>>>>
> >>>>>>>> I'm using rsyslog in a BuildRoot environment. I've built it on
> >>>>>>>> two
> >>>>>>>> different platforms (nios2 and arm). The Nios2 platform works
> >>>>>>>> great.
> >>>>>>>> However, on the Arm platform, rsyslog seems to think the local
> >>>>>>>> hostname
> >>>>>>>> is
> >>>>>>>> "127.0.0.1". Why do I think that? Well, /var/log/messages
> >>>>>>>> contains:
> >>>>>>>>
> >>>>>>>> Oct 5 19:34:25 127 syslog: [origin software="rsyslogd"
> >>>>>>>> swVersion="8.2010.0" x-pid="8080"
> >>>>>>>> x-info="https://www.rsyslog.com"]
> >>>>>>>> start
> >>>>>>>>
> >>>>>>>> Notice the "127" in there? That's where the "hostname" is
> >>>>>>>> supposed
> >>>>>>>> to
> >>>>>>>> be.
> >>>>>>>> So if for some reason it thinks the FQDN is an IP address, that
> >>>>>>>> would
> >>>>>>>> explain why this is doing that. But that's weird, because:
> >>>>>>>>
> >>>>>>>> # hostname
> >>>>>>>> arm-host
> >>>>>>>>
> >>>>>>>> Moreover, if I compile and run the code to execute a
> >>>>>>>> "gethostbyname()"
> >>>>>>>> it
> >>>>>>>> also returns "arm-host". So I have no idea where it's getting the
> >>>>>>>> idea
> >>>>>>>> that the hostname/FQDN is an IP Address.
> >>>>>>>>
> >>>>>>>> I'll note that on the Nios2 this works as expected:
> >>>>>>>>
> >>>>>>>> Sep 30 19:28:41 nios2 rsyslogd: [origin software="rsyslogd"
> >>>>>>>> swVersion="8.2010.0" x-pid="830" x-info="https://www.rsyslog.com
> "]
> >>>>>>>> start
> >>>>>>>>
> >>>>>>>> I'll say this is the same version of rsyslog on both systems,
> >>>>>>>> built
> >>>>>>>> with
> >>>>>>>> the same sources, and (ostensibly) with the same build-time, and
> >>>>>>>> definitely the same run-time configurations.
> >>>>>>>>
> >>>>>>>> I'm just at a loss for why rsyslog might be doing this, and I'm
> >>>>>>>> not
> >>>>>>>> sure
> >>>>>>>> where else to look.
> >>>>>>>>
> >>>>>>>> So I'm hoping you experts might be able to help me?
> >>>>>>>>
> >>>>>>>> Thanks!
> >>>>>>>>
> >>>>>>>> -derek
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>> Derek Atkins 617-623-3745
> >>>> derek@ihtfp.com www.ihtfp.com
> >>>> Computer and Internet Security Consultant
> >>>>
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com/professional-services/
> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>> myriad
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>> DON'T LIKE THAT.
> >>>>
> >>>
> >>>
> >>> --
> >>> Derek Atkins 617-623-3745
> >>> derek@ihtfp.com www.ihtfp.com
> >>> Computer and Internet Security Consultant
> >>>
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>> myriad
> >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>> DON'T LIKE THAT.
> >>>
> >>
> >>
> >>
> >
>
>
> --
> Derek Atkins 617-623-3745
> derek@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
>
>
> ------------------------------
>
> Message: 37
> Date: Wed, 6 Oct 2021 11:35:57 -0700 (PDT)
> From: David Lang <david@lang.hm>
> To: Derek Atkins <derek@ihtfp.com>
> Cc: David Lang <david@lang.hm>, Derek Atkins via rsyslog
> <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> hostname is "127.0.0.1"?
> Message-ID: <rn4pn930-60o0-52s-16n4-ps783o71990@ynat.uz>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> $template foo,"%$myhostname%/n"
> /var/log/myhostname;foo
>
> run this for a very short time as it will write a line to this file for
> every
> log message that arrives :-)
>
> David Lang
>
> On Wed, 6 Oct 2021, Derek Atkins wrote:
>
> > Date: Wed, 6 Oct 2021 13:45:56 -0400
> > From: Derek Atkins <derek@ihtfp.com>
> > To: David Lang <david@lang.hm>
> > Cc: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> > Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's hostname
> is
> > "127.0.0.1"?
> >
> > David,
> >
> > I am happy to revert back to the uclibc installation and feed you data,
> if
> > you can give me what to copy-and-paste into my rsyslogd.conf file?
> >
> > -derek
> >
> > On Wed, October 6, 2021 1:43 pm, David Lang wrote:
> >> I believe that rsyslog uses the gethostbyname() call to convert the IP
> to
> >> name
> >>
> >> it would also be interesting to create a custom templete with
> >> %$myhostname% in
> >> it and see what that returns.
> >>
> >> I'm not sure if in this case, rsyslog is seeing that there is no
> hostname
> >> in the
> >> message and using $myhostname (and that is wrong) or if it's trying to
> >> resolve
> >> 127.0.0.1 and that's failing (I suspect that it's the $myhostname that's
> >> wrong)
> >>
> >> If we can identify what's happening, we can then try to create a fix. It
> >> would
> >> be nice to support non-glibc builds
> >>
> >> David Lang
> >>
> >>
> >> On Wed, 6 Oct 2021, Derek Atkins via rsyslog wrote:
> >>
> >>> I just rebuilt the Arm platform with GLibc and.... syslog is working.
> >>> So I will go and blame uclibc for the bug.
> >>>
> >>> Thank you for getting me to look more closely (and pointing out that
> the
> >>> issue is that rsyslogd was not getting a valid hostname).
> >>>
> >>> Thanks all!
> >>>
> >>> -derek
> >>>
> >>> On Wed, October 6, 2021 8:36 am, Derek Atkins via rsyslog wrote:
> >>>> Good morning,
> >>>>
> >>>> Thank you for your help so far.
> >>>>
> >>>> I just wanted to add one more piece of data, on my other host
> (compiled
> >>>> in
> >>>> the same way from the same source in the same BuildRoot manner, but on
> >>>> a
> >>>> different platform), I get what I would expect:
> >>>>
> >>>> Debug line with all properties:
> >>>> FROMHOST: 'nios2', fromhost-ip: '127.0.0.1', HOSTNAME: 'nios2', PRI:
> >>>> 46,
> >>>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> >>>> 'rsyslogd',
> >>>> PROCID: '-', MSGID: '-',
> >>>> TIMESTAMP: 'Oct 6 12:27:44', STRUCTURED-DATA: '-',
> >>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> >>>> x-info="https://www.rsyslog.com"] start'
> >>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>> x-pid="1780" x-info="https://www.rsyslog.com"] start'
> >>>> inputname: imuxsock rawmsg: '<46>Oct 6 12:27:44 rsyslogd: [origin
> >>>> software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> >>>> x-info="https://www.rsyslog.com"] start'
> >>>> $!:
> >>>> $.:
> >>>> $/:
> >>>>
> >>>> So ... FROMHOST and HOSTNAME are clearly correct here. So I guess my
> >>>> question is, what APIs are rsyslogd using to try to obtain this
> >>>> information? I can certainly compile additional test code and run it
> >>>> if
> >>>> necessary. I just find it odd that the *host* knows its name but
> >>>> rsyslogd
> >>>> can't figure it out?
> >>>>
> >>>> Actually, looking a little closer, I noticed that I'm using uclibc on
> >>>> the
> >>>> arm platform (the broken one), but glibc on the nios2. I wonder if
> >>>> this
> >>>> is the issue?
> >>>>
> >>>> -derek
> >>>>
> >>>> On Tue, October 5, 2021 9:13 pm, Derek Atkins via rsyslog wrote:
> >>>>> As I said in my OP:
> >>>>>
> >>>>> # hostname
> >>>>> arm-host
> >>>>>
> >>>>> and from this query:
> >>>>>
> >>>>> # cat /etc/hosts
> >>>>> 127.0.0.1 localhost
> >>>>> 127.0.1.1 arm-host
> >>>>>
> >>>>>
> >>>>> However, as I also stated in my OP, I another another machine on a
> >>>>> nios2
> >>>>> with the exact same configuration and there the log messages say the
> >>>>> correct hostname.
> >>>>>
> >>>>> -derek
> >>>>>
> >>>>> On Tue, October 5, 2021 8:52 pm, David Lang wrote:
> >>>>>> what is in /etc/hosts and what do you get if you run the command
> >>>>>> hostname?
> >>>>>>
> >>>>>> rsyslog gets fromhost by doing a name lookup of the fromhost-ip
> >>>>>>
> >>>>>> the log message you received (as seen by the rawmsg: section) does
> >>>>>> not
> >>>>>> provide a
> >>>>>> hostname (which could have been the problem)
> >>>>>>
> >>>>>> so based on this, the problem is with name resolution, which should
> >>>>>> start
> >>>>>> with
> >>>>>> /etc/hosts and hostname
> >>>>>>
> >>>>>> David Lang
> >>>>>>
> >>>>>> On Tue, 5 Oct 2021, Derek Atkins wrote:
> >>>>>>
> >>>>>>> Date: Tue, 5 Oct 2021 20:28:34 -0400
> >>>>>>> From: Derek Atkins <derek@ihtfp.com>
> >>>>>>> To: David Lang <david@lang.hm>
> >>>>>>> Cc: rsyslog@lists.adiscon.com
> >>>>>>> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>>>> "127.0.0.1"?
> >>>>>>>
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> Thank you for the quick response.
> >>>>>>>
> >>>>>>> The logging here is all done locally, and the issue is in EVERY log
> >>>>>>> message. The source is local (a call to vsyslog() in an
> >>>>>>> application),
> >>>>>>> or
> >>>>>>> even just a call to "logger". Here is the resulting log message
> >>>>>>> from
> >>>>>>> rsyslogd starting up:
> >>>>>>>
> >>>>>>> Debug line with all properties:
> >>>>>>> FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127', PRI:
> 46,
> >>>>>>> syslogtag 'syslog:', programname: 'syslog', APP-NAME: 'syslog',
> >>>>>>> PROCID:
> >>>>>>> '-', MSGID: '-',
> >>>>>>> TIMESTAMP: 'Oct 6 00:14:18', STRUCTURED-DATA: '-',
> >>>>>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>>> x-pid="17368"
> >>>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>>> x-pid="17368" x-info="https://www.rsyslog.com"] start'
> >>>>>>> inputname: imuxsock rawmsg: '<46>Oct 6 00:14:18 syslog: [origin
> >>>>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >>>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>>> $!:
> >>>>>>> $.:
> >>>>>>> $/:
> >>>>>>>
> >>>>>>> So... no clue where "FROMHOST" or "HOSTNAME" are coming from here,
> >>>>>>> but
> >>>>>>> my
> >>>>>>> guess that's the problem?
> >>>>>>>
> >>>>>>> I can run the same config on the nios2 if you want to see what it
> >>>>>>> says,
> >>>>>>> but my guess is that FROMHOST and HOSTNAME are going to both be
> >>>>>>> "nios2"
> >>>>>>> instead of "127".
> >>>>>>>
> >>>>>>> The contents of /etc/hosts is effectively the same on both machines
> >>>>>>> (the
> >>>>>>> one that works correctly and this one).
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>>
> >>>>>>> -derek
> >>>>>>>
> >>>>>>> On Tue, October 5, 2021 6:16 pm, David Lang wrote:
> >>>>>>>> please log with the template RSYSLOG_DebugFormat so that we can
> see
> >>>>>>>> exactly what
> >>>>>>>> rsyslog is being sent for a problem message.
> >>>>>>>>
> >>>>>>>> David Lang
> >>>>>>>>
> >>>>>>>> On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:
> >>>>>>>>
> >>>>>>>>> Date: Tue, 5 Oct 2021 15:58:07 -0400
> >>>>>>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >>>>>>>>> To: rsyslog@lists.adiscon.com
> >>>>>>>>> Cc: Derek Atkins <derek@ihtfp.com>
> >>>>>>>>> Subject: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>>>>>> "127.0.0.1"?
> >>>>>>>>>
> >>>>>>>>> Hi,
> >>>>>>>>>
> >>>>>>>>> I'm using rsyslog in a BuildRoot environment. I've built it on
> >>>>>>>>> two
> >>>>>>>>> different platforms (nios2 and arm). The Nios2 platform works
> >>>>>>>>> great.
> >>>>>>>>> However, on the Arm platform, rsyslog seems to think the local
> >>>>>>>>> hostname
> >>>>>>>>> is
> >>>>>>>>> "127.0.0.1". Why do I think that? Well, /var/log/messages
> >>>>>>>>> contains:
> >>>>>>>>>
> >>>>>>>>> Oct 5 19:34:25 127 syslog: [origin software="rsyslogd"
> >>>>>>>>> swVersion="8.2010.0" x-pid="8080"
> >>>>>>>>> x-info="https://www.rsyslog.com"]
> >>>>>>>>> start
> >>>>>>>>>
> >>>>>>>>> Notice the "127" in there? That's where the "hostname" is
> >>>>>>>>> supposed
> >>>>>>>>> to
> >>>>>>>>> be.
> >>>>>>>>> So if for some reason it thinks the FQDN is an IP address, that
> >>>>>>>>> would
> >>>>>>>>> explain why this is doing that. But that's weird, because:
> >>>>>>>>>
> >>>>>>>>> # hostname
> >>>>>>>>> arm-host
> >>>>>>>>>
> >>>>>>>>> Moreover, if I compile and run the code to execute a
> >>>>>>>>> "gethostbyname()"
> >>>>>>>>> it
> >>>>>>>>> also returns "arm-host". So I have no idea where it's getting
> the
> >>>>>>>>> idea
> >>>>>>>>> that the hostname/FQDN is an IP Address.
> >>>>>>>>>
> >>>>>>>>> I'll note that on the Nios2 this works as expected:
> >>>>>>>>>
> >>>>>>>>> Sep 30 19:28:41 nios2 rsyslogd: [origin software="rsyslogd"
> >>>>>>>>> swVersion="8.2010.0" x-pid="830" x-info="https://www.rsyslog.com
> "]
> >>>>>>>>> start
> >>>>>>>>>
> >>>>>>>>> I'll say this is the same version of rsyslog on both systems,
> >>>>>>>>> built
> >>>>>>>>> with
> >>>>>>>>> the same sources, and (ostensibly) with the same build-time, and
> >>>>>>>>> definitely the same run-time configurations.
> >>>>>>>>>
> >>>>>>>>> I'm just at a loss for why rsyslog might be doing this, and I'm
> >>>>>>>>> not
> >>>>>>>>> sure
> >>>>>>>>> where else to look.
> >>>>>>>>>
> >>>>>>>>> So I'm hoping you experts might be able to help me?
> >>>>>>>>>
> >>>>>>>>> Thanks!
> >>>>>>>>>
> >>>>>>>>> -derek
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Derek Atkins 617-623-3745
> >>>>> derek@ihtfp.com www.ihtfp.com
> >>>>> Computer and Internet Security Consultant
> >>>>>
> >>>>> _______________________________________________
> >>>>> rsyslog mailing list
> >>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>> http://www.rsyslog.com/professional-services/
> >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>> myriad
> >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you
> >>>>> DON'T LIKE THAT.
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>> Derek Atkins 617-623-3745
> >>>> derek@ihtfp.com www.ihtfp.com
> >>>> Computer and Internet Security Consultant
> >>>>
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com/professional-services/
> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>> myriad
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>> DON'T LIKE THAT.
> >>>>
> >>>
> >>>
> >>>
> >>
> >
> >
> >
>
>
> ------------------------------
>
> Message: 38
> Date: Wed, 6 Oct 2021 16:20:46 -0400
> From: "Derek Atkins" <derek@ihtfp.com>
> To: "David Lang" <david@lang.hm>
> Cc: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> hostname is "127.0.0.1"?
> Message-ID:
> <d00477be4f6e7127b3e7f3cd7652a589.squirrel@mail2.ihtfp.org>
> Content-Type: text/plain;charset=utf-8
>
> David,
>
> # cat >> /etc/rsyslog.conf
> $template foo,"%$myhostname%/n"
> /var/log/myhostname;foo
> # /etc/init.d/S01rsyslogd restart
> Stopping rsyslogd: OK
> Starting rsyslogd: OK
> # tail /var/log/myhostname
> 127/n#
>
> -derek
>
> On Wed, October 6, 2021 2:35 pm, David Lang wrote:
> > $template foo,"%$myhostname%/n"
> > /var/log/myhostname;foo
> >
> > run this for a very short time as it will write a line to this file for
> > every
> > log message that arrives :-)
> >
> > David Lang
> >
> > On Wed, 6 Oct 2021, Derek Atkins wrote:
> >
> >> Date: Wed, 6 Oct 2021 13:45:56 -0400
> >> From: Derek Atkins <derek@ihtfp.com>
> >> To: David Lang <david@lang.hm>
> >> Cc: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's hostname
> >> is
> >> "127.0.0.1"?
> >>
> >> David,
> >>
> >> I am happy to revert back to the uclibc installation and feed you data,
> >> if
> >> you can give me what to copy-and-paste into my rsyslogd.conf file?
> >>
> >> -derek
> >>
> >> On Wed, October 6, 2021 1:43 pm, David Lang wrote:
> >>> I believe that rsyslog uses the gethostbyname() call to convert the IP
> >>> to
> >>> name
> >>>
> >>> it would also be interesting to create a custom templete with
> >>> %$myhostname% in
> >>> it and see what that returns.
> >>>
> >>> I'm not sure if in this case, rsyslog is seeing that there is no
> >>> hostname
> >>> in the
> >>> message and using $myhostname (and that is wrong) or if it's trying to
> >>> resolve
> >>> 127.0.0.1 and that's failing (I suspect that it's the $myhostname
> >>> that's
> >>> wrong)
> >>>
> >>> If we can identify what's happening, we can then try to create a fix.
> >>> It
> >>> would
> >>> be nice to support non-glibc builds
> >>>
> >>> David Lang
> >>>
> >>>
> >>> On Wed, 6 Oct 2021, Derek Atkins via rsyslog wrote:
> >>>
> >>>> I just rebuilt the Arm platform with GLibc and.... syslog is working.
> >>>> So I will go and blame uclibc for the bug.
> >>>>
> >>>> Thank you for getting me to look more closely (and pointing out that
> >>>> the
> >>>> issue is that rsyslogd was not getting a valid hostname).
> >>>>
> >>>> Thanks all!
> >>>>
> >>>> -derek
> >>>>
> >>>> On Wed, October 6, 2021 8:36 am, Derek Atkins via rsyslog wrote:
> >>>>> Good morning,
> >>>>>
> >>>>> Thank you for your help so far.
> >>>>>
> >>>>> I just wanted to add one more piece of data, on my other host
> >>>>> (compiled
> >>>>> in
> >>>>> the same way from the same source in the same BuildRoot manner, but
> >>>>> on
> >>>>> a
> >>>>> different platform), I get what I would expect:
> >>>>>
> >>>>> Debug line with all properties:
> >>>>> FROMHOST: 'nios2', fromhost-ip: '127.0.0.1', HOSTNAME: 'nios2', PRI:
> >>>>> 46,
> >>>>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> >>>>> 'rsyslogd',
> >>>>> PROCID: '-', MSGID: '-',
> >>>>> TIMESTAMP: 'Oct 6 12:27:44', STRUCTURED-DATA: '-',
> >>>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> >>>>> x-info="https://www.rsyslog.com"] start'
> >>>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>> x-pid="1780" x-info="https://www.rsyslog.com"] start'
> >>>>> inputname: imuxsock rawmsg: '<46>Oct 6 12:27:44 rsyslogd: [origin
> >>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> >>>>> x-info="https://www.rsyslog.com"] start'
> >>>>> $!:
> >>>>> $.:
> >>>>> $/:
> >>>>>
> >>>>> So ... FROMHOST and HOSTNAME are clearly correct here. So I guess my
> >>>>> question is, what APIs are rsyslogd using to try to obtain this
> >>>>> information? I can certainly compile additional test code and run it
> >>>>> if
> >>>>> necessary. I just find it odd that the *host* knows its name but
> >>>>> rsyslogd
> >>>>> can't figure it out?
> >>>>>
> >>>>> Actually, looking a little closer, I noticed that I'm using uclibc on
> >>>>> the
> >>>>> arm platform (the broken one), but glibc on the nios2. I wonder if
> >>>>> this
> >>>>> is the issue?
> >>>>>
> >>>>> -derek
> >>>>>
> >>>>> On Tue, October 5, 2021 9:13 pm, Derek Atkins via rsyslog wrote:
> >>>>>> As I said in my OP:
> >>>>>>
> >>>>>> # hostname
> >>>>>> arm-host
> >>>>>>
> >>>>>> and from this query:
> >>>>>>
> >>>>>> # cat /etc/hosts
> >>>>>> 127.0.0.1 localhost
> >>>>>> 127.0.1.1 arm-host
> >>>>>>
> >>>>>>
> >>>>>> However, as I also stated in my OP, I another another machine on a
> >>>>>> nios2
> >>>>>> with the exact same configuration and there the log messages say the
> >>>>>> correct hostname.
> >>>>>>
> >>>>>> -derek
> >>>>>>
> >>>>>> On Tue, October 5, 2021 8:52 pm, David Lang wrote:
> >>>>>>> what is in /etc/hosts and what do you get if you run the command
> >>>>>>> hostname?
> >>>>>>>
> >>>>>>> rsyslog gets fromhost by doing a name lookup of the fromhost-ip
> >>>>>>>
> >>>>>>> the log message you received (as seen by the rawmsg: section) does
> >>>>>>> not
> >>>>>>> provide a
> >>>>>>> hostname (which could have been the problem)
> >>>>>>>
> >>>>>>> so based on this, the problem is with name resolution, which should
> >>>>>>> start
> >>>>>>> with
> >>>>>>> /etc/hosts and hostname
> >>>>>>>
> >>>>>>> David Lang
> >>>>>>>
> >>>>>>> On Tue, 5 Oct 2021, Derek Atkins wrote:
> >>>>>>>
> >>>>>>>> Date: Tue, 5 Oct 2021 20:28:34 -0400
> >>>>>>>> From: Derek Atkins <derek@ihtfp.com>
> >>>>>>>> To: David Lang <david@lang.hm>
> >>>>>>>> Cc: rsyslog@lists.adiscon.com
> >>>>>>>> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>>>>> "127.0.0.1"?
> >>>>>>>>
> >>>>>>>> Hi,
> >>>>>>>>
> >>>>>>>> Thank you for the quick response.
> >>>>>>>>
> >>>>>>>> The logging here is all done locally, and the issue is in EVERY
> >>>>>>>> log
> >>>>>>>> message. The source is local (a call to vsyslog() in an
> >>>>>>>> application),
> >>>>>>>> or
> >>>>>>>> even just a call to "logger". Here is the resulting log message
> >>>>>>>> from
> >>>>>>>> rsyslogd starting up:
> >>>>>>>>
> >>>>>>>> Debug line with all properties:
> >>>>>>>> FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127', PRI:
> >>>>>>>> 46,
> >>>>>>>> syslogtag 'syslog:', programname: 'syslog', APP-NAME: 'syslog',
> >>>>>>>> PROCID:
> >>>>>>>> '-', MSGID: '-',
> >>>>>>>> TIMESTAMP: 'Oct 6 00:14:18', STRUCTURED-DATA: '-',
> >>>>>>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>>>> x-pid="17368"
> >>>>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>>>> x-pid="17368" x-info="https://www.rsyslog.com"] start'
> >>>>>>>> inputname: imuxsock rawmsg: '<46>Oct 6 00:14:18 syslog: [origin
> >>>>>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >>>>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>>>> $!:
> >>>>>>>> $.:
> >>>>>>>> $/:
> >>>>>>>>
> >>>>>>>> So... no clue where "FROMHOST" or "HOSTNAME" are coming from here,
> >>>>>>>> but
> >>>>>>>> my
> >>>>>>>> guess that's the problem?
> >>>>>>>>
> >>>>>>>> I can run the same config on the nios2 if you want to see what it
> >>>>>>>> says,
> >>>>>>>> but my guess is that FROMHOST and HOSTNAME are going to both be
> >>>>>>>> "nios2"
> >>>>>>>> instead of "127".
> >>>>>>>>
> >>>>>>>> The contents of /etc/hosts is effectively the same on both
> >>>>>>>> machines
> >>>>>>>> (the
> >>>>>>>> one that works correctly and this one).
> >>>>>>>>
> >>>>>>>> Thanks,
> >>>>>>>>
> >>>>>>>> -derek
> >>>>>>>>
> >>>>>>>> On Tue, October 5, 2021 6:16 pm, David Lang wrote:
> >>>>>>>>> please log with the template RSYSLOG_DebugFormat so that we can
> >>>>>>>>> see
> >>>>>>>>> exactly what
> >>>>>>>>> rsyslog is being sent for a problem message.
> >>>>>>>>>
> >>>>>>>>> David Lang
> >>>>>>>>>
> >>>>>>>>> On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:
> >>>>>>>>>
> >>>>>>>>>> Date: Tue, 5 Oct 2021 15:58:07 -0400
> >>>>>>>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >>>>>>>>>> To: rsyslog@lists.adiscon.com
> >>>>>>>>>> Cc: Derek Atkins <derek@ihtfp.com>
> >>>>>>>>>> Subject: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>>>>>>> "127.0.0.1"?
> >>>>>>>>>>
> >>>>>>>>>> Hi,
> >>>>>>>>>>
> >>>>>>>>>> I'm using rsyslog in a BuildRoot environment. I've built it on
> >>>>>>>>>> two
> >>>>>>>>>> different platforms (nios2 and arm). The Nios2 platform works
> >>>>>>>>>> great.
> >>>>>>>>>> However, on the Arm platform, rsyslog seems to think the local
> >>>>>>>>>> hostname
> >>>>>>>>>> is
> >>>>>>>>>> "127.0.0.1". Why do I think that? Well, /var/log/messages
> >>>>>>>>>> contains:
> >>>>>>>>>>
> >>>>>>>>>> Oct 5 19:34:25 127 syslog: [origin software="rsyslogd"
> >>>>>>>>>> swVersion="8.2010.0" x-pid="8080"
> >>>>>>>>>> x-info="https://www.rsyslog.com"]
> >>>>>>>>>> start
> >>>>>>>>>>
> >>>>>>>>>> Notice the "127" in there? That's where the "hostname" is
> >>>>>>>>>> supposed
> >>>>>>>>>> to
> >>>>>>>>>> be.
> >>>>>>>>>> So if for some reason it thinks the FQDN is an IP address, that
> >>>>>>>>>> would
> >>>>>>>>>> explain why this is doing that. But that's weird, because:
> >>>>>>>>>>
> >>>>>>>>>> # hostname
> >>>>>>>>>> arm-host
> >>>>>>>>>>
> >>>>>>>>>> Moreover, if I compile and run the code to execute a
> >>>>>>>>>> "gethostbyname()"
> >>>>>>>>>> it
> >>>>>>>>>> also returns "arm-host". So I have no idea where it's getting
> >>>>>>>>>> the
> >>>>>>>>>> idea
> >>>>>>>>>> that the hostname/FQDN is an IP Address.
> >>>>>>>>>>
> >>>>>>>>>> I'll note that on the Nios2 this works as expected:
> >>>>>>>>>>
> >>>>>>>>>> Sep 30 19:28:41 nios2 rsyslogd: [origin software="rsyslogd"
> >>>>>>>>>> swVersion="8.2010.0" x-pid="830"
> >>>>>>>>>> x-info="https://www.rsyslog.com"]
> >>>>>>>>>> start
> >>>>>>>>>>
> >>>>>>>>>> I'll say this is the same version of rsyslog on both systems,
> >>>>>>>>>> built
> >>>>>>>>>> with
> >>>>>>>>>> the same sources, and (ostensibly) with the same build-time, and
> >>>>>>>>>> definitely the same run-time configurations.
> >>>>>>>>>>
> >>>>>>>>>> I'm just at a loss for why rsyslog might be doing this, and I'm
> >>>>>>>>>> not
> >>>>>>>>>> sure
> >>>>>>>>>> where else to look.
> >>>>>>>>>>
> >>>>>>>>>> So I'm hoping you experts might be able to help me?
> >>>>>>>>>>
> >>>>>>>>>> Thanks!
> >>>>>>>>>>
> >>>>>>>>>> -derek
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Derek Atkins 617-623-3745
> >>>>>> derek@ihtfp.com www.ihtfp.com
> >>>>>> Computer and Internet Security Consultant
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> rsyslog mailing list
> >>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>> http://www.rsyslog.com/professional-services/
> >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>>> myriad
> >>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> >>>>>> you
> >>>>>> DON'T LIKE THAT.
> >>>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Derek Atkins 617-623-3745
> >>>>> derek@ihtfp.com www.ihtfp.com
> >>>>> Computer and Internet Security Consultant
> >>>>>
> >>>>> _______________________________________________
> >>>>> rsyslog mailing list
> >>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>> http://www.rsyslog.com/professional-services/
> >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>> myriad
> >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> >>>>> you
> >>>>> DON'T LIKE THAT.
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>
> >>
> >>
> >
>
>
> --
> Derek Atkins 617-623-3745
> derek@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
>
>
> ------------------------------
>
> Message: 39
> Date: Wed, 6 Oct 2021 15:06:04 -0700 (PDT)
> From: David Lang <david@lang.hm>
> To: Derek Atkins <derek@ihtfp.com>
> Cc: David Lang <david@lang.hm>, rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> hostname is "127.0.0.1"?
> Message-ID: <4497os5-o26p-4438-84no-758p6p8qno7n@ynat.uz>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> ok, that confirms that the syscall to get the hostname isn't working
>
> Rainer, what call do we make?
>
> David Lang
>
> On Wed, 6 Oct 2021, Derek Atkins wrote:
>
> > Date: Wed, 6 Oct 2021 16:20:46 -0400
> > From: Derek Atkins <derek@ihtfp.com>
> > To: David Lang <david@lang.hm>
> > Cc: rsyslog@lists.adiscon.com
> > Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's hostname
> is
> > "127.0.0.1"?
> >
> > David,
> >
> > # cat >> /etc/rsyslog.conf
> > $template foo,"%$myhostname%/n"
> > /var/log/myhostname;foo
> > # /etc/init.d/S01rsyslogd restart
> > Stopping rsyslogd: OK
> > Starting rsyslogd: OK
> > # tail /var/log/myhostname
> > 127/n#
> >
> > -derek
> >
> > On Wed, October 6, 2021 2:35 pm, David Lang wrote:
> >> $template foo,"%$myhostname%/n"
> >> /var/log/myhostname;foo
> >>
> >> run this for a very short time as it will write a line to this file for
> >> every
> >> log message that arrives :-)
> >>
> >> David Lang
> >>
> >> On Wed, 6 Oct 2021, Derek Atkins wrote:
> >>
> >>> Date: Wed, 6 Oct 2021 13:45:56 -0400
> >>> From: Derek Atkins <derek@ihtfp.com>
> >>> To: David Lang <david@lang.hm>
> >>> Cc: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >>> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> hostname
> >>> is
> >>> "127.0.0.1"?
> >>>
> >>> David,
> >>>
> >>> I am happy to revert back to the uclibc installation and feed you data,
> >>> if
> >>> you can give me what to copy-and-paste into my rsyslogd.conf file?
> >>>
> >>> -derek
> >>>
> >>> On Wed, October 6, 2021 1:43 pm, David Lang wrote:
> >>>> I believe that rsyslog uses the gethostbyname() call to convert the IP
> >>>> to
> >>>> name
> >>>>
> >>>> it would also be interesting to create a custom templete with
> >>>> %$myhostname% in
> >>>> it and see what that returns.
> >>>>
> >>>> I'm not sure if in this case, rsyslog is seeing that there is no
> >>>> hostname
> >>>> in the
> >>>> message and using $myhostname (and that is wrong) or if it's trying to
> >>>> resolve
> >>>> 127.0.0.1 and that's failing (I suspect that it's the $myhostname
> >>>> that's
> >>>> wrong)
> >>>>
> >>>> If we can identify what's happening, we can then try to create a fix.
> >>>> It
> >>>> would
> >>>> be nice to support non-glibc builds
> >>>>
> >>>> David Lang
> >>>>
> >>>>
> >>>> On Wed, 6 Oct 2021, Derek Atkins via rsyslog wrote:
> >>>>
> >>>>> I just rebuilt the Arm platform with GLibc and.... syslog is working.
> >>>>> So I will go and blame uclibc for the bug.
> >>>>>
> >>>>> Thank you for getting me to look more closely (and pointing out that
> >>>>> the
> >>>>> issue is that rsyslogd was not getting a valid hostname).
> >>>>>
> >>>>> Thanks all!
> >>>>>
> >>>>> -derek
> >>>>>
> >>>>> On Wed, October 6, 2021 8:36 am, Derek Atkins via rsyslog wrote:
> >>>>>> Good morning,
> >>>>>>
> >>>>>> Thank you for your help so far.
> >>>>>>
> >>>>>> I just wanted to add one more piece of data, on my other host
> >>>>>> (compiled
> >>>>>> in
> >>>>>> the same way from the same source in the same BuildRoot manner, but
> >>>>>> on
> >>>>>> a
> >>>>>> different platform), I get what I would expect:
> >>>>>>
> >>>>>> Debug line with all properties:
> >>>>>> FROMHOST: 'nios2', fromhost-ip: '127.0.0.1', HOSTNAME: 'nios2', PRI:
> >>>>>> 46,
> >>>>>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> >>>>>> 'rsyslogd',
> >>>>>> PROCID: '-', MSGID: '-',
> >>>>>> TIMESTAMP: 'Oct 6 12:27:44', STRUCTURED-DATA: '-',
> >>>>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> >>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>> x-pid="1780" x-info="https://www.rsyslog.com"] start'
> >>>>>> inputname: imuxsock rawmsg: '<46>Oct 6 12:27:44 rsyslogd: [origin
> >>>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> >>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>> $!:
> >>>>>> $.:
> >>>>>> $/:
> >>>>>>
> >>>>>> So ... FROMHOST and HOSTNAME are clearly correct here. So I guess
> my
> >>>>>> question is, what APIs are rsyslogd using to try to obtain this
> >>>>>> information? I can certainly compile additional test code and run
> it
> >>>>>> if
> >>>>>> necessary. I just find it odd that the *host* knows its name but
> >>>>>> rsyslogd
> >>>>>> can't figure it out?
> >>>>>>
> >>>>>> Actually, looking a little closer, I noticed that I'm using uclibc
> on
> >>>>>> the
> >>>>>> arm platform (the broken one), but glibc on the nios2. I wonder if
> >>>>>> this
> >>>>>> is the issue?
> >>>>>>
> >>>>>> -derek
> >>>>>>
> >>>>>> On Tue, October 5, 2021 9:13 pm, Derek Atkins via rsyslog wrote:
> >>>>>>> As I said in my OP:
> >>>>>>>
> >>>>>>> # hostname
> >>>>>>> arm-host
> >>>>>>>
> >>>>>>> and from this query:
> >>>>>>>
> >>>>>>> # cat /etc/hosts
> >>>>>>> 127.0.0.1 localhost
> >>>>>>> 127.0.1.1 arm-host
> >>>>>>>
> >>>>>>>
> >>>>>>> However, as I also stated in my OP, I another another machine on a
> >>>>>>> nios2
> >>>>>>> with the exact same configuration and there the log messages say
> the
> >>>>>>> correct hostname.
> >>>>>>>
> >>>>>>> -derek
> >>>>>>>
> >>>>>>> On Tue, October 5, 2021 8:52 pm, David Lang wrote:
> >>>>>>>> what is in /etc/hosts and what do you get if you run the command
> >>>>>>>> hostname?
> >>>>>>>>
> >>>>>>>> rsyslog gets fromhost by doing a name lookup of the fromhost-ip
> >>>>>>>>
> >>>>>>>> the log message you received (as seen by the rawmsg: section) does
> >>>>>>>> not
> >>>>>>>> provide a
> >>>>>>>> hostname (which could have been the problem)
> >>>>>>>>
> >>>>>>>> so based on this, the problem is with name resolution, which
> should
> >>>>>>>> start
> >>>>>>>> with
> >>>>>>>> /etc/hosts and hostname
> >>>>>>>>
> >>>>>>>> David Lang
> >>>>>>>>
> >>>>>>>> On Tue, 5 Oct 2021, Derek Atkins wrote:
> >>>>>>>>
> >>>>>>>>> Date: Tue, 5 Oct 2021 20:28:34 -0400
> >>>>>>>>> From: Derek Atkins <derek@ihtfp.com>
> >>>>>>>>> To: David Lang <david@lang.hm>
> >>>>>>>>> Cc: rsyslog@lists.adiscon.com
> >>>>>>>>> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>>>>>> "127.0.0.1"?
> >>>>>>>>>
> >>>>>>>>> Hi,
> >>>>>>>>>
> >>>>>>>>> Thank you for the quick response.
> >>>>>>>>>
> >>>>>>>>> The logging here is all done locally, and the issue is in EVERY
> >>>>>>>>> log
> >>>>>>>>> message. The source is local (a call to vsyslog() in an
> >>>>>>>>> application),
> >>>>>>>>> or
> >>>>>>>>> even just a call to "logger". Here is the resulting log message
> >>>>>>>>> from
> >>>>>>>>> rsyslogd starting up:
> >>>>>>>>>
> >>>>>>>>> Debug line with all properties:
> >>>>>>>>> FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127', PRI:
> >>>>>>>>> 46,
> >>>>>>>>> syslogtag 'syslog:', programname: 'syslog', APP-NAME: 'syslog',
> >>>>>>>>> PROCID:
> >>>>>>>>> '-', MSGID: '-',
> >>>>>>>>> TIMESTAMP: 'Oct 6 00:14:18', STRUCTURED-DATA: '-',
> >>>>>>>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>>>>> x-pid="17368"
> >>>>>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>>>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>>>>> x-pid="17368" x-info="https://www.rsyslog.com"] start'
> >>>>>>>>> inputname: imuxsock rawmsg: '<46>Oct 6 00:14:18 syslog: [origin
> >>>>>>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >>>>>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>>>>> $!:
> >>>>>>>>> $.:
> >>>>>>>>> $/:
> >>>>>>>>>
> >>>>>>>>> So... no clue where "FROMHOST" or "HOSTNAME" are coming from
> here,
> >>>>>>>>> but
> >>>>>>>>> my
> >>>>>>>>> guess that's the problem?
> >>>>>>>>>
> >>>>>>>>> I can run the same config on the nios2 if you want to see what it
> >>>>>>>>> says,
> >>>>>>>>> but my guess is that FROMHOST and HOSTNAME are going to both be
> >>>>>>>>> "nios2"
> >>>>>>>>> instead of "127".
> >>>>>>>>>
> >>>>>>>>> The contents of /etc/hosts is effectively the same on both
> >>>>>>>>> machines
> >>>>>>>>> (the
> >>>>>>>>> one that works correctly and this one).
> >>>>>>>>>
> >>>>>>>>> Thanks,
> >>>>>>>>>
> >>>>>>>>> -derek
> >>>>>>>>>
> >>>>>>>>> On Tue, October 5, 2021 6:16 pm, David Lang wrote:
> >>>>>>>>>> please log with the template RSYSLOG_DebugFormat so that we can
> >>>>>>>>>> see
> >>>>>>>>>> exactly what
> >>>>>>>>>> rsyslog is being sent for a problem message.
> >>>>>>>>>>
> >>>>>>>>>> David Lang
> >>>>>>>>>>
> >>>>>>>>>> On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:
> >>>>>>>>>>
> >>>>>>>>>>> Date: Tue, 5 Oct 2021 15:58:07 -0400
> >>>>>>>>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >>>>>>>>>>> To: rsyslog@lists.adiscon.com
> >>>>>>>>>>> Cc: Derek Atkins <derek@ihtfp.com>
> >>>>>>>>>>> Subject: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>>>>>>>> "127.0.0.1"?
> >>>>>>>>>>>
> >>>>>>>>>>> Hi,
> >>>>>>>>>>>
> >>>>>>>>>>> I'm using rsyslog in a BuildRoot environment. I've built it on
> >>>>>>>>>>> two
> >>>>>>>>>>> different platforms (nios2 and arm). The Nios2 platform works
> >>>>>>>>>>> great.
> >>>>>>>>>>> However, on the Arm platform, rsyslog seems to think the local
> >>>>>>>>>>> hostname
> >>>>>>>>>>> is
> >>>>>>>>>>> "127.0.0.1". Why do I think that? Well, /var/log/messages
> >>>>>>>>>>> contains:
> >>>>>>>>>>>
> >>>>>>>>>>> Oct 5 19:34:25 127 syslog: [origin software="rsyslogd"
> >>>>>>>>>>> swVersion="8.2010.0" x-pid="8080"
> >>>>>>>>>>> x-info="https://www.rsyslog.com"]
> >>>>>>>>>>> start
> >>>>>>>>>>>
> >>>>>>>>>>> Notice the "127" in there? That's where the "hostname" is
> >>>>>>>>>>> supposed
> >>>>>>>>>>> to
> >>>>>>>>>>> be.
> >>>>>>>>>>> So if for some reason it thinks the FQDN is an IP address, that
> >>>>>>>>>>> would
> >>>>>>>>>>> explain why this is doing that. But that's weird, because:
> >>>>>>>>>>>
> >>>>>>>>>>> # hostname
> >>>>>>>>>>> arm-host
> >>>>>>>>>>>
> >>>>>>>>>>> Moreover, if I compile and run the code to execute a
> >>>>>>>>>>> "gethostbyname()"
> >>>>>>>>>>> it
> >>>>>>>>>>> also returns "arm-host". So I have no idea where it's getting
> >>>>>>>>>>> the
> >>>>>>>>>>> idea
> >>>>>>>>>>> that the hostname/FQDN is an IP Address.
> >>>>>>>>>>>
> >>>>>>>>>>> I'll note that on the Nios2 this works as expected:
> >>>>>>>>>>>
> >>>>>>>>>>> Sep 30 19:28:41 nios2 rsyslogd: [origin software="rsyslogd"
> >>>>>>>>>>> swVersion="8.2010.0" x-pid="830"
> >>>>>>>>>>> x-info="https://www.rsyslog.com"]
> >>>>>>>>>>> start
> >>>>>>>>>>>
> >>>>>>>>>>> I'll say this is the same version of rsyslog on both systems,
> >>>>>>>>>>> built
> >>>>>>>>>>> with
> >>>>>>>>>>> the same sources, and (ostensibly) with the same build-time,
> and
> >>>>>>>>>>> definitely the same run-time configurations.
> >>>>>>>>>>>
> >>>>>>>>>>> I'm just at a loss for why rsyslog might be doing this, and I'm
> >>>>>>>>>>> not
> >>>>>>>>>>> sure
> >>>>>>>>>>> where else to look.
> >>>>>>>>>>>
> >>>>>>>>>>> So I'm hoping you experts might be able to help me?
> >>>>>>>>>>>
> >>>>>>>>>>> Thanks!
> >>>>>>>>>>>
> >>>>>>>>>>> -derek
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> Derek Atkins 617-623-3745
> >>>>>>> derek@ihtfp.com www.ihtfp.com
> >>>>>>> Computer and Internet Security Consultant
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> rsyslog mailing list
> >>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>>> http://www.rsyslog.com/professional-services/
> >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>>>> myriad
> >>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> >>>>>>> you
> >>>>>>> DON'T LIKE THAT.
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Derek Atkins 617-623-3745
> >>>>>> derek@ihtfp.com www.ihtfp.com
> >>>>>> Computer and Internet Security Consultant
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> rsyslog mailing list
> >>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>> http://www.rsyslog.com/professional-services/
> >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>>> myriad
> >>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> >>>>>> you
> >>>>>> DON'T LIKE THAT.
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >
> >
> >
>
>
> ------------------------------
>
> Message: 40
> Date: Wed, 6 Oct 2021 15:10:58 -0700 (PDT)
> From: David Lang <david@lang.hm>
> To: David Lang <david@lang.hm>
> Cc: Derek Atkins <derek@ihtfp.com>, rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> hostname is "127.0.0.1"?
> Message-ID: <q238s5p-r23s-p38-458r-3s6ror4nr169@ynat.uz>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> try
>
> hostname -f
>
> that give the fully qualified hostname, it if returns 127.0.0.1 then
> somehow
> that is getting set as the hostname and gethostname() is removing all
> after the
> first '.', resulting in 127 that you are seeing
>
> try setting the hostname
>
> hostname name-you-want
>
> then restart rsyslog and see if it finds the correct name (if so, this is
> a
> problem in setting the name, not in rsyslog fetching the name)
>
> David Lang
>
>
> On Wed, 6 Oct 2021, David Lang
> wrote:
>
> > Date: Wed, 6 Oct 2021 15:06:04 -0700 (PDT)
> > From: David Lang <david@lang.hm>
> > To: Derek Atkins <derek@ihtfp.com>
> > Cc: David Lang <david@lang.hm>, rsyslog@lists.adiscon.com
> > Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's hostname
> is
> > "127.0.0.1"?
> >
> > ok, that confirms that the syscall to get the hostname isn't working
> >
> > Rainer, what call do we make?
> >
> > David Lang
> >
> > On Wed, 6 Oct 2021, Derek Atkins wrote:
> >
> >> Date: Wed, 6 Oct 2021 16:20:46 -0400
> >> From: Derek Atkins <derek@ihtfp.com>
> >> To: David Lang <david@lang.hm>
> >> Cc: rsyslog@lists.adiscon.com
> >> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> hostname is
> >> "127.0.0.1"?
> >>
> >> David,
> >>
> >> # cat >> /etc/rsyslog.conf
> >> $template foo,"%$myhostname%/n"
> >> /var/log/myhostname;foo
> >> # /etc/init.d/S01rsyslogd restart
> >> Stopping rsyslogd: OK
> >> Starting rsyslogd: OK
> >> # tail /var/log/myhostname
> >> 127/n#
> >>
> >> -derek
> >>
> >> On Wed, October 6, 2021 2:35 pm, David Lang wrote:
> >>> $template foo,"%$myhostname%/n"
> >>> /var/log/myhostname;foo
> >>>
> >>> run this for a very short time as it will write a line to this file for
> >>> every
> >>> log message that arrives :-)
> >>>
> >>> David Lang
> >>>
> >>> On Wed, 6 Oct 2021, Derek Atkins wrote:
> >>>
> >>>> Date: Wed, 6 Oct 2021 13:45:56 -0400
> >>>> From: Derek Atkins <derek@ihtfp.com>
> >>>> To: David Lang <david@lang.hm>
> >>>> Cc: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >>>> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> hostname
> >>>> is
> >>>> "127.0.0.1"?
> >>>>
> >>>> David,
> >>>>
> >>>> I am happy to revert back to the uclibc installation and feed you
> data,
> >>>> if
> >>>> you can give me what to copy-and-paste into my rsyslogd.conf file?
> >>>>
> >>>> -derek
> >>>>
> >>>> On Wed, October 6, 2021 1:43 pm, David Lang wrote:
> >>>>> I believe that rsyslog uses the gethostbyname() call to convert the
> IP
> >>>>> to
> >>>>> name
> >>>>>
> >>>>> it would also be interesting to create a custom templete with
> >>>>> %$myhostname% in
> >>>>> it and see what that returns.
> >>>>>
> >>>>> I'm not sure if in this case, rsyslog is seeing that there is no
> >>>>> hostname
> >>>>> in the
> >>>>> message and using $myhostname (and that is wrong) or if it's trying
> to
> >>>>> resolve
> >>>>> 127.0.0.1 and that's failing (I suspect that it's the $myhostname
> >>>>> that's
> >>>>> wrong)
> >>>>>
> >>>>> If we can identify what's happening, we can then try to create a fix.
> >>>>> It
> >>>>> would
> >>>>> be nice to support non-glibc builds
> >>>>>
> >>>>> David Lang
> >>>>>
> >>>>>
> >>>>> On Wed, 6 Oct 2021, Derek Atkins via rsyslog wrote:
> >>>>>
> >>>>>> I just rebuilt the Arm platform with GLibc and.... syslog is
> working.
> >>>>>> So I will go and blame uclibc for the bug.
> >>>>>>
> >>>>>> Thank you for getting me to look more closely (and pointing out that
> >>>>>> the
> >>>>>> issue is that rsyslogd was not getting a valid hostname).
> >>>>>>
> >>>>>> Thanks all!
> >>>>>>
> >>>>>> -derek
> >>>>>>
> >>>>>> On Wed, October 6, 2021 8:36 am, Derek Atkins via rsyslog wrote:
> >>>>>>> Good morning,
> >>>>>>>
> >>>>>>> Thank you for your help so far.
> >>>>>>>
> >>>>>>> I just wanted to add one more piece of data, on my other host
> >>>>>>> (compiled
> >>>>>>> in
> >>>>>>> the same way from the same source in the same BuildRoot manner, but
> >>>>>>> on
> >>>>>>> a
> >>>>>>> different platform), I get what I would expect:
> >>>>>>>
> >>>>>>> Debug line with all properties:
> >>>>>>> FROMHOST: 'nios2', fromhost-ip: '127.0.0.1', HOSTNAME: 'nios2',
> PRI:
> >>>>>>> 46,
> >>>>>>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> >>>>>>> 'rsyslogd',
> >>>>>>> PROCID: '-', MSGID: '-',
> >>>>>>> TIMESTAMP: 'Oct 6 12:27:44', STRUCTURED-DATA: '-',
> >>>>>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> x-pid="1780"
> >>>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>>> x-pid="1780" x-info="https://www.rsyslog.com"] start'
> >>>>>>> inputname: imuxsock rawmsg: '<46>Oct 6 12:27:44 rsyslogd: [origin
> >>>>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> >>>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>>> $!:
> >>>>>>> $.:
> >>>>>>> $/:
> >>>>>>>
> >>>>>>> So ... FROMHOST and HOSTNAME are clearly correct here. So I guess
> my
> >>>>>>> question is, what APIs are rsyslogd using to try to obtain this
> >>>>>>> information? I can certainly compile additional test code and run
> it
> >>>>>>> if
> >>>>>>> necessary. I just find it odd that the *host* knows its name but
> >>>>>>> rsyslogd
> >>>>>>> can't figure it out?
> >>>>>>>
> >>>>>>> Actually, looking a little closer, I noticed that I'm using uclibc
> on
> >>>>>>> the
> >>>>>>> arm platform (the broken one), but glibc on the nios2. I wonder if
> >>>>>>> this
> >>>>>>> is the issue?
> >>>>>>>
> >>>>>>> -derek
> >>>>>>>
> >>>>>>> On Tue, October 5, 2021 9:13 pm, Derek Atkins via rsyslog wrote:
> >>>>>>>> As I said in my OP:
> >>>>>>>>
> >>>>>>>> # hostname
> >>>>>>>> arm-host
> >>>>>>>>
> >>>>>>>> and from this query:
> >>>>>>>>
> >>>>>>>> # cat /etc/hosts
> >>>>>>>> 127.0.0.1 localhost
> >>>>>>>> 127.0.1.1 arm-host
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> However, as I also stated in my OP, I another another machine on a
> >>>>>>>> nios2
> >>>>>>>> with the exact same configuration and there the log messages say
> the
> >>>>>>>> correct hostname.
> >>>>>>>>
> >>>>>>>> -derek
> >>>>>>>>
> >>>>>>>> On Tue, October 5, 2021 8:52 pm, David Lang wrote:
> >>>>>>>>> what is in /etc/hosts and what do you get if you run the command
> >>>>>>>>> hostname?
> >>>>>>>>>
> >>>>>>>>> rsyslog gets fromhost by doing a name lookup of the fromhost-ip
> >>>>>>>>>
> >>>>>>>>> the log message you received (as seen by the rawmsg: section)
> does
> >>>>>>>>> not
> >>>>>>>>> provide a
> >>>>>>>>> hostname (which could have been the problem)
> >>>>>>>>>
> >>>>>>>>> so based on this, the problem is with name resolution, which
> should
> >>>>>>>>> start
> >>>>>>>>> with
> >>>>>>>>> /etc/hosts and hostname
> >>>>>>>>>
> >>>>>>>>> David Lang
> >>>>>>>>>
> >>>>>>>>> On Tue, 5 Oct 2021, Derek Atkins wrote:
> >>>>>>>>>
> >>>>>>>>>> Date: Tue, 5 Oct 2021 20:28:34 -0400
> >>>>>>>>>> From: Derek Atkins <derek@ihtfp.com>
> >>>>>>>>>> To: David Lang <david@lang.hm>
> >>>>>>>>>> Cc: rsyslog@lists.adiscon.com
> >>>>>>>>>> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>>>>>>> "127.0.0.1"?
> >>>>>>>>>>
> >>>>>>>>>> Hi,
> >>>>>>>>>>
> >>>>>>>>>> Thank you for the quick response.
> >>>>>>>>>>
> >>>>>>>>>> The logging here is all done locally, and the issue is in EVERY
> >>>>>>>>>> log
> >>>>>>>>>> message. The source is local (a call to vsyslog() in an
> >>>>>>>>>> application),
> >>>>>>>>>> or
> >>>>>>>>>> even just a call to "logger". Here is the resulting log message
> >>>>>>>>>> from
> >>>>>>>>>> rsyslogd starting up:
> >>>>>>>>>>
> >>>>>>>>>> Debug line with all properties:
> >>>>>>>>>> FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127', PRI:
> >>>>>>>>>> 46,
> >>>>>>>>>> syslogtag 'syslog:', programname: 'syslog', APP-NAME: 'syslog',
> >>>>>>>>>> PROCID:
> >>>>>>>>>> '-', MSGID: '-',
> >>>>>>>>>> TIMESTAMP: 'Oct 6 00:14:18', STRUCTURED-DATA: '-',
> >>>>>>>>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>>>>>> x-pid="17368"
> >>>>>>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>>>>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>>>>>> x-pid="17368" x-info="https://www.rsyslog.com"] start'
> >>>>>>>>>> inputname: imuxsock rawmsg: '<46>Oct 6 00:14:18 syslog: [origin
> >>>>>>>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >>>>>>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>>>>>> $!:
> >>>>>>>>>> $.:
> >>>>>>>>>> $/:
> >>>>>>>>>>
> >>>>>>>>>> So... no clue where "FROMHOST" or "HOSTNAME" are coming from
> here,
> >>>>>>>>>> but
> >>>>>>>>>> my
> >>>>>>>>>> guess that's the problem?
> >>>>>>>>>>
> >>>>>>>>>> I can run the same config on the nios2 if you want to see what
> it
> >>>>>>>>>> says,
> >>>>>>>>>> but my guess is that FROMHOST and HOSTNAME are going to both be
> >>>>>>>>>> "nios2"
> >>>>>>>>>> instead of "127".
> >>>>>>>>>>
> >>>>>>>>>> The contents of /etc/hosts is effectively the same on both
> >>>>>>>>>> machines
> >>>>>>>>>> (the
> >>>>>>>>>> one that works correctly and this one).
> >>>>>>>>>>
> >>>>>>>>>> Thanks,
> >>>>>>>>>>
> >>>>>>>>>> -derek
> >>>>>>>>>>
> >>>>>>>>>> On Tue, October 5, 2021 6:16 pm, David Lang wrote:
> >>>>>>>>>>> please log with the template RSYSLOG_DebugFormat so that we can
> >>>>>>>>>>> see
> >>>>>>>>>>> exactly what
> >>>>>>>>>>> rsyslog is being sent for a problem message.
> >>>>>>>>>>>
> >>>>>>>>>>> David Lang
> >>>>>>>>>>>
> >>>>>>>>>>> On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> Date: Tue, 5 Oct 2021 15:58:07 -0400
> >>>>>>>>>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >>>>>>>>>>>> To: rsyslog@lists.adiscon.com
> >>>>>>>>>>>> Cc: Derek Atkins <derek@ihtfp.com>
> >>>>>>>>>>>> Subject: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>>>>>>>>> "127.0.0.1"?
> >>>>>>>>>>>>
> >>>>>>>>>>>> Hi,
> >>>>>>>>>>>>
> >>>>>>>>>>>> I'm using rsyslog in a BuildRoot environment. I've built it
> on
> >>>>>>>>>>>> two
> >>>>>>>>>>>> different platforms (nios2 and arm). The Nios2 platform works
> >>>>>>>>>>>> great.
> >>>>>>>>>>>> However, on the Arm platform, rsyslog seems to think the local
> >>>>>>>>>>>> hostname
> >>>>>>>>>>>> is
> >>>>>>>>>>>> "127.0.0.1". Why do I think that? Well, /var/log/messages
> >>>>>>>>>>>> contains:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Oct 5 19:34:25 127 syslog: [origin software="rsyslogd"
> >>>>>>>>>>>> swVersion="8.2010.0" x-pid="8080"
> >>>>>>>>>>>> x-info="https://www.rsyslog.com"]
> >>>>>>>>>>>> start
> >>>>>>>>>>>>
> >>>>>>>>>>>> Notice the "127" in there? That's where the "hostname" is
> >>>>>>>>>>>> supposed
> >>>>>>>>>>>> to
> >>>>>>>>>>>> be.
> >>>>>>>>>>>> So if for some reason it thinks the FQDN is an IP address,
> that
> >>>>>>>>>>>> would
> >>>>>>>>>>>> explain why this is doing that. But that's weird, because:
> >>>>>>>>>>>>
> >>>>>>>>>>>> # hostname
> >>>>>>>>>>>> arm-host
> >>>>>>>>>>>>
> >>>>>>>>>>>> Moreover, if I compile and run the code to execute a
> >>>>>>>>>>>> "gethostbyname()"
> >>>>>>>>>>>> it
> >>>>>>>>>>>> also returns "arm-host". So I have no idea where it's getting
> >>>>>>>>>>>> the
> >>>>>>>>>>>> idea
> >>>>>>>>>>>> that the hostname/FQDN is an IP Address.
> >>>>>>>>>>>>
> >>>>>>>>>>>> I'll note that on the Nios2 this works as expected:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Sep 30 19:28:41 nios2 rsyslogd: [origin software="rsyslogd"
> >>>>>>>>>>>> swVersion="8.2010.0" x-pid="830"
> >>>>>>>>>>>> x-info="https://www.rsyslog.com"]
> >>>>>>>>>>>> start
> >>>>>>>>>>>>
> >>>>>>>>>>>> I'll say this is the same version of rsyslog on both systems,
> >>>>>>>>>>>> built
> >>>>>>>>>>>> with
> >>>>>>>>>>>> the same sources, and (ostensibly) with the same build-time,
> and
> >>>>>>>>>>>> definitely the same run-time configurations.
> >>>>>>>>>>>>
> >>>>>>>>>>>> I'm just at a loss for why rsyslog might be doing this, and
> I'm
> >>>>>>>>>>>> not
> >>>>>>>>>>>> sure
> >>>>>>>>>>>> where else to look.
> >>>>>>>>>>>>
> >>>>>>>>>>>> So I'm hoping you experts might be able to help me?
> >>>>>>>>>>>>
> >>>>>>>>>>>> Thanks!
> >>>>>>>>>>>>
> >>>>>>>>>>>> -derek
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Derek Atkins 617-623-3745
> >>>>>>>> derek@ihtfp.com www.ihtfp.com
> >>>>>>>> Computer and Internet Security Consultant
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> rsyslog mailing list
> >>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>>>> http://www.rsyslog.com/professional-services/
> >>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>>>>> myriad
> >>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> >>>>>>>> you
> >>>>>>>> DON'T LIKE THAT.
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> Derek Atkins 617-623-3745
> >>>>>>> derek@ihtfp.com www.ihtfp.com
> >>>>>>> Computer and Internet Security Consultant
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> rsyslog mailing list
> >>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>>> http://www.rsyslog.com/professional-services/
> >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>>>> myriad
> >>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> >>>>>>> you
> >>>>>>> DON'T LIKE THAT.
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>
> >>
> >>
> >
>
>
> ------------------------------
>
> Message: 41
> Date: Wed, 6 Oct 2021 18:25:26 -0400
> From: "Derek Atkins" <derek@ihtfp.com>
> To: "David Lang" <david@lang.hm>
> Cc: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> hostname is "127.0.0.1"?
> Message-ID:
> <ffb1ba6beb139af36b0a93da15b9fdc8.squirrel@mail2.ihtfp.org>
> Content-Type: text/plain;charset=utf-8
>
> David,
>
> # hostname -f
> arm-host
> # hostname arm-host
> # /etc/init.d/S01rsyslogd restart
> Stopping rsyslogd: OK
> Starting rsyslogd: OK
> # tail /var/log/myhostname
> 127/n127/n#
>
> So nope, didn't change anything.
>
> -derek
>
>
> On Wed, October 6, 2021 6:10 pm, David Lang wrote:
> > try
> >
> > hostname -f
> >
> > that give the fully qualified hostname, it if returns 127.0.0.1 then
> > somehow
> > that is getting set as the hostname and gethostname() is removing all
> > after the
> > first '.', resulting in 127 that you are seeing
> >
> > try setting the hostname
> >
> > hostname name-you-want
> >
> > then restart rsyslog and see if it finds the correct name (if so, this is
> > a
> > problem in setting the name, not in rsyslog fetching the name)
> >
> > David Lang
> >
> >
> > On Wed, 6 Oct 2021, David Lang
> > wrote:
> >
> >> Date: Wed, 6 Oct 2021 15:06:04 -0700 (PDT)
> >> From: David Lang <david@lang.hm>
> >> To: Derek Atkins <derek@ihtfp.com>
> >> Cc: David Lang <david@lang.hm>, rsyslog@lists.adiscon.com
> >> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's hostname
> >> is
> >> "127.0.0.1"?
> >>
> >> ok, that confirms that the syscall to get the hostname isn't working
> >>
> >> Rainer, what call do we make?
> >>
> >> David Lang
> >>
> >> On Wed, 6 Oct 2021, Derek Atkins wrote:
> >>
> >>> Date: Wed, 6 Oct 2021 16:20:46 -0400
> >>> From: Derek Atkins <derek@ihtfp.com>
> >>> To: David Lang <david@lang.hm>
> >>> Cc: rsyslog@lists.adiscon.com
> >>> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> >>> hostname is
> >>> "127.0.0.1"?
> >>>
> >>> David,
> >>>
> >>> # cat >> /etc/rsyslog.conf
> >>> $template foo,"%$myhostname%/n"
> >>> /var/log/myhostname;foo
> >>> # /etc/init.d/S01rsyslogd restart
> >>> Stopping rsyslogd: OK
> >>> Starting rsyslogd: OK
> >>> # tail /var/log/myhostname
> >>> 127/n#
> >>>
> >>> -derek
> >>>
> >>> On Wed, October 6, 2021 2:35 pm, David Lang wrote:
> >>>> $template foo,"%$myhostname%/n"
> >>>> /var/log/myhostname;foo
> >>>>
> >>>> run this for a very short time as it will write a line to this file
> >>>> for
> >>>> every
> >>>> log message that arrives :-)
> >>>>
> >>>> David Lang
> >>>>
> >>>> On Wed, 6 Oct 2021, Derek Atkins wrote:
> >>>>
> >>>>> Date: Wed, 6 Oct 2021 13:45:56 -0400
> >>>>> From: Derek Atkins <derek@ihtfp.com>
> >>>>> To: David Lang <david@lang.hm>
> >>>>> Cc: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >>>>> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> >>>>> hostname
> >>>>> is
> >>>>> "127.0.0.1"?
> >>>>>
> >>>>> David,
> >>>>>
> >>>>> I am happy to revert back to the uclibc installation and feed you
> >>>>> data,
> >>>>> if
> >>>>> you can give me what to copy-and-paste into my rsyslogd.conf file?
> >>>>>
> >>>>> -derek
> >>>>>
> >>>>> On Wed, October 6, 2021 1:43 pm, David Lang wrote:
> >>>>>> I believe that rsyslog uses the gethostbyname() call to convert the
> >>>>>> IP
> >>>>>> to
> >>>>>> name
> >>>>>>
> >>>>>> it would also be interesting to create a custom templete with
> >>>>>> %$myhostname% in
> >>>>>> it and see what that returns.
> >>>>>>
> >>>>>> I'm not sure if in this case, rsyslog is seeing that there is no
> >>>>>> hostname
> >>>>>> in the
> >>>>>> message and using $myhostname (and that is wrong) or if it's trying
> >>>>>> to
> >>>>>> resolve
> >>>>>> 127.0.0.1 and that's failing (I suspect that it's the $myhostname
> >>>>>> that's
> >>>>>> wrong)
> >>>>>>
> >>>>>> If we can identify what's happening, we can then try to create a
> >>>>>> fix.
> >>>>>> It
> >>>>>> would
> >>>>>> be nice to support non-glibc builds
> >>>>>>
> >>>>>> David Lang
> >>>>>>
> >>>>>>
> >>>>>> On Wed, 6 Oct 2021, Derek Atkins via rsyslog wrote:
> >>>>>>
> >>>>>>> I just rebuilt the Arm platform with GLibc and.... syslog is
> >>>>>>> working.
> >>>>>>> So I will go and blame uclibc for the bug.
> >>>>>>>
> >>>>>>> Thank you for getting me to look more closely (and pointing out
> >>>>>>> that
> >>>>>>> the
> >>>>>>> issue is that rsyslogd was not getting a valid hostname).
> >>>>>>>
> >>>>>>> Thanks all!
> >>>>>>>
> >>>>>>> -derek
> >>>>>>>
> >>>>>>> On Wed, October 6, 2021 8:36 am, Derek Atkins via rsyslog wrote:
> >>>>>>>> Good morning,
> >>>>>>>>
> >>>>>>>> Thank you for your help so far.
> >>>>>>>>
> >>>>>>>> I just wanted to add one more piece of data, on my other host
> >>>>>>>> (compiled
> >>>>>>>> in
> >>>>>>>> the same way from the same source in the same BuildRoot manner,
> >>>>>>>> but
> >>>>>>>> on
> >>>>>>>> a
> >>>>>>>> different platform), I get what I would expect:
> >>>>>>>>
> >>>>>>>> Debug line with all properties:
> >>>>>>>> FROMHOST: 'nios2', fromhost-ip: '127.0.0.1', HOSTNAME: 'nios2',
> >>>>>>>> PRI:
> >>>>>>>> 46,
> >>>>>>>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> >>>>>>>> 'rsyslogd',
> >>>>>>>> PROCID: '-', MSGID: '-',
> >>>>>>>> TIMESTAMP: 'Oct 6 12:27:44', STRUCTURED-DATA: '-',
> >>>>>>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>>>> x-pid="1780"
> >>>>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>>>> x-pid="1780" x-info="https://www.rsyslog.com"] start'
> >>>>>>>> inputname: imuxsock rawmsg: '<46>Oct 6 12:27:44 rsyslogd: [origin
> >>>>>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> >>>>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>>>> $!:
> >>>>>>>> $.:
> >>>>>>>> $/:
> >>>>>>>>
> >>>>>>>> So ... FROMHOST and HOSTNAME are clearly correct here. So I guess
> >>>>>>>> my
> >>>>>>>> question is, what APIs are rsyslogd using to try to obtain this
> >>>>>>>> information? I can certainly compile additional test code and run
> >>>>>>>> it
> >>>>>>>> if
> >>>>>>>> necessary. I just find it odd that the *host* knows its name but
> >>>>>>>> rsyslogd
> >>>>>>>> can't figure it out?
> >>>>>>>>
> >>>>>>>> Actually, looking a little closer, I noticed that I'm using uclibc
> >>>>>>>> on
> >>>>>>>> the
> >>>>>>>> arm platform (the broken one), but glibc on the nios2. I wonder
> >>>>>>>> if
> >>>>>>>> this
> >>>>>>>> is the issue?
> >>>>>>>>
> >>>>>>>> -derek
> >>>>>>>>
> >>>>>>>> On Tue, October 5, 2021 9:13 pm, Derek Atkins via rsyslog wrote:
> >>>>>>>>> As I said in my OP:
> >>>>>>>>>
> >>>>>>>>> # hostname
> >>>>>>>>> arm-host
> >>>>>>>>>
> >>>>>>>>> and from this query:
> >>>>>>>>>
> >>>>>>>>> # cat /etc/hosts
> >>>>>>>>> 127.0.0.1 localhost
> >>>>>>>>> 127.0.1.1 arm-host
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> However, as I also stated in my OP, I another another machine on
> >>>>>>>>> a
> >>>>>>>>> nios2
> >>>>>>>>> with the exact same configuration and there the log messages say
> >>>>>>>>> the
> >>>>>>>>> correct hostname.
> >>>>>>>>>
> >>>>>>>>> -derek
> >>>>>>>>>
> >>>>>>>>> On Tue, October 5, 2021 8:52 pm, David Lang wrote:
> >>>>>>>>>> what is in /etc/hosts and what do you get if you run the command
> >>>>>>>>>> hostname?
> >>>>>>>>>>
> >>>>>>>>>> rsyslog gets fromhost by doing a name lookup of the fromhost-ip
> >>>>>>>>>>
> >>>>>>>>>> the log message you received (as seen by the rawmsg: section)
> >>>>>>>>>> does
> >>>>>>>>>> not
> >>>>>>>>>> provide a
> >>>>>>>>>> hostname (which could have been the problem)
> >>>>>>>>>>
> >>>>>>>>>> so based on this, the problem is with name resolution, which
> >>>>>>>>>> should
> >>>>>>>>>> start
> >>>>>>>>>> with
> >>>>>>>>>> /etc/hosts and hostname
> >>>>>>>>>>
> >>>>>>>>>> David Lang
> >>>>>>>>>>
> >>>>>>>>>> On Tue, 5 Oct 2021, Derek Atkins wrote:
> >>>>>>>>>>
> >>>>>>>>>>> Date: Tue, 5 Oct 2021 20:28:34 -0400
> >>>>>>>>>>> From: Derek Atkins <derek@ihtfp.com>
> >>>>>>>>>>> To: David Lang <david@lang.hm>
> >>>>>>>>>>> Cc: rsyslog@lists.adiscon.com
> >>>>>>>>>>> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>>>>>>>> "127.0.0.1"?
> >>>>>>>>>>>
> >>>>>>>>>>> Hi,
> >>>>>>>>>>>
> >>>>>>>>>>> Thank you for the quick response.
> >>>>>>>>>>>
> >>>>>>>>>>> The logging here is all done locally, and the issue is in EVERY
> >>>>>>>>>>> log
> >>>>>>>>>>> message. The source is local (a call to vsyslog() in an
> >>>>>>>>>>> application),
> >>>>>>>>>>> or
> >>>>>>>>>>> even just a call to "logger". Here is the resulting log
> >>>>>>>>>>> message
> >>>>>>>>>>> from
> >>>>>>>>>>> rsyslogd starting up:
> >>>>>>>>>>>
> >>>>>>>>>>> Debug line with all properties:
> >>>>>>>>>>> FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127',
> >>>>>>>>>>> PRI:
> >>>>>>>>>>> 46,
> >>>>>>>>>>> syslogtag 'syslog:', programname: 'syslog', APP-NAME: 'syslog',
> >>>>>>>>>>> PROCID:
> >>>>>>>>>>> '-', MSGID: '-',
> >>>>>>>>>>> TIMESTAMP: 'Oct 6 00:14:18', STRUCTURED-DATA: '-',
> >>>>>>>>>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>>>>>>> x-pid="17368"
> >>>>>>>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>>>>>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> >>>>>>>>>>> x-pid="17368" x-info="https://www.rsyslog.com"] start'
> >>>>>>>>>>> inputname: imuxsock rawmsg: '<46>Oct 6 00:14:18 syslog:
> >>>>>>>>>>> [origin
> >>>>>>>>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> >>>>>>>>>>> x-info="https://www.rsyslog.com"] start'
> >>>>>>>>>>> $!:
> >>>>>>>>>>> $.:
> >>>>>>>>>>> $/:
> >>>>>>>>>>>
> >>>>>>>>>>> So... no clue where "FROMHOST" or "HOSTNAME" are coming from
> >>>>>>>>>>> here,
> >>>>>>>>>>> but
> >>>>>>>>>>> my
> >>>>>>>>>>> guess that's the problem?
> >>>>>>>>>>>
> >>>>>>>>>>> I can run the same config on the nios2 if you want to see what
> >>>>>>>>>>> it
> >>>>>>>>>>> says,
> >>>>>>>>>>> but my guess is that FROMHOST and HOSTNAME are going to both be
> >>>>>>>>>>> "nios2"
> >>>>>>>>>>> instead of "127".
> >>>>>>>>>>>
> >>>>>>>>>>> The contents of /etc/hosts is effectively the same on both
> >>>>>>>>>>> machines
> >>>>>>>>>>> (the
> >>>>>>>>>>> one that works correctly and this one).
> >>>>>>>>>>>
> >>>>>>>>>>> Thanks,
> >>>>>>>>>>>
> >>>>>>>>>>> -derek
> >>>>>>>>>>>
> >>>>>>>>>>> On Tue, October 5, 2021 6:16 pm, David Lang wrote:
> >>>>>>>>>>>> please log with the template RSYSLOG_DebugFormat so that we
> >>>>>>>>>>>> can
> >>>>>>>>>>>> see
> >>>>>>>>>>>> exactly what
> >>>>>>>>>>>> rsyslog is being sent for a problem message.
> >>>>>>>>>>>>
> >>>>>>>>>>>> David Lang
> >>>>>>>>>>>>
> >>>>>>>>>>>> On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>>> Date: Tue, 5 Oct 2021 15:58:07 -0400
> >>>>>>>>>>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> >>>>>>>>>>>>> To: rsyslog@lists.adiscon.com
> >>>>>>>>>>>>> Cc: Derek Atkins <derek@ihtfp.com>
> >>>>>>>>>>>>> Subject: [rsyslog] RSyslog thinks my machine's hostname is
> >>>>>>>>>>>>> "127.0.0.1"?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Hi,
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> I'm using rsyslog in a BuildRoot environment. I've built it
> >>>>>>>>>>>>> on
> >>>>>>>>>>>>> two
> >>>>>>>>>>>>> different platforms (nios2 and arm). The Nios2 platform
> >>>>>>>>>>>>> works
> >>>>>>>>>>>>> great.
> >>>>>>>>>>>>> However, on the Arm platform, rsyslog seems to think the
> >>>>>>>>>>>>> local
> >>>>>>>>>>>>> hostname
> >>>>>>>>>>>>> is
> >>>>>>>>>>>>> "127.0.0.1". Why do I think that? Well, /var/log/messages
> >>>>>>>>>>>>> contains:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Oct 5 19:34:25 127 syslog: [origin software="rsyslogd"
> >>>>>>>>>>>>> swVersion="8.2010.0" x-pid="8080"
> >>>>>>>>>>>>> x-info="https://www.rsyslog.com"]
> >>>>>>>>>>>>> start
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Notice the "127" in there? That's where the "hostname" is
> >>>>>>>>>>>>> supposed
> >>>>>>>>>>>>> to
> >>>>>>>>>>>>> be.
> >>>>>>>>>>>>> So if for some reason it thinks the FQDN is an IP address,
> >>>>>>>>>>>>> that
> >>>>>>>>>>>>> would
> >>>>>>>>>>>>> explain why this is doing that. But that's weird, because:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> # hostname
> >>>>>>>>>>>>> arm-host
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Moreover, if I compile and run the code to execute a
> >>>>>>>>>>>>> "gethostbyname()"
> >>>>>>>>>>>>> it
> >>>>>>>>>>>>> also returns "arm-host". So I have no idea where it's
> >>>>>>>>>>>>> getting
> >>>>>>>>>>>>> the
> >>>>>>>>>>>>> idea
> >>>>>>>>>>>>> that the hostname/FQDN is an IP Address.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> I'll note that on the Nios2 this works as expected:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Sep 30 19:28:41 nios2 rsyslogd: [origin software="rsyslogd"
> >>>>>>>>>>>>> swVersion="8.2010.0" x-pid="830"
> >>>>>>>>>>>>> x-info="https://www.rsyslog.com"]
> >>>>>>>>>>>>> start
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> I'll say this is the same version of rsyslog on both systems,
> >>>>>>>>>>>>> built
> >>>>>>>>>>>>> with
> >>>>>>>>>>>>> the same sources, and (ostensibly) with the same build-time,
> >>>>>>>>>>>>> and
> >>>>>>>>>>>>> definitely the same run-time configurations.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> I'm just at a loss for why rsyslog might be doing this, and
> >>>>>>>>>>>>> I'm
> >>>>>>>>>>>>> not
> >>>>>>>>>>>>> sure
> >>>>>>>>>>>>> where else to look.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> So I'm hoping you experts might be able to help me?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Thanks!
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> -derek
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> Derek Atkins 617-623-3745
> >>>>>>>>> derek@ihtfp.com www.ihtfp.com
> >>>>>>>>> Computer and Internet Security Consultant
> >>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> rsyslog mailing list
> >>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>>>>> http://www.rsyslog.com/professional-services/
> >>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>>>>>> myriad
> >>>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> >>>>>>>>> if
> >>>>>>>>> you
> >>>>>>>>> DON'T LIKE THAT.
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Derek Atkins 617-623-3745
> >>>>>>>> derek@ihtfp.com www.ihtfp.com
> >>>>>>>> Computer and Internet Security Consultant
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> rsyslog mailing list
> >>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>>>> http://www.rsyslog.com/professional-services/
> >>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>>>>> myriad
> >>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> >>>>>>>> you
> >>>>>>>> DON'T LIKE THAT.
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >
>
>
> --
> Derek Atkins 617-623-3745
> derek@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
>
>
> ------------------------------
>
> Message: 42
> Date: Thu, 7 Oct 2021 14:16:18 +0200
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> hostname is "127.0.0.1"?
> Message-ID:
> <
> CADk+mPD9yVYXmoem4CMobAi74TJmapZ71DY1tAWp40RgM+H-kA@mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> It is gethostname(). But depending on circumstances DNS is also
> involved. In the sample here, "127.0.0.1" being returned, this should
> not be the case.
>
> The prime function used to get the local host name is:
> https://github.com/rsyslog/rsyslog/blob/master/runtime/net.c#L1166
>
> HTH
> Rainer
>
> El jue, 7 oct 2021 a las 0:06, David Lang via rsyslog
> (<rsyslog@lists.adiscon.com>) escribi?:
> >
> > ok, that confirms that the syscall to get the hostname isn't working
> >
> > Rainer, what call do we make?
> >
> > David Lang
> >
> > On Wed, 6 Oct 2021, Derek Atkins wrote:
> >
> > > Date: Wed, 6 Oct 2021 16:20:46 -0400
> > > From: Derek Atkins <derek@ihtfp.com>
> > > To: David Lang <david@lang.hm>
> > > Cc: rsyslog@lists.adiscon.com
> > > Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> hostname is
> > > "127.0.0.1"?
> > >
> > > David,
> > >
> > > # cat >> /etc/rsyslog.conf
> > > $template foo,"%$myhostname%/n"
> > > /var/log/myhostname;foo
> > > # /etc/init.d/S01rsyslogd restart
> > > Stopping rsyslogd: OK
> > > Starting rsyslogd: OK
> > > # tail /var/log/myhostname
> > > 127/n#
> > >
> > > -derek
> > >
> > > On Wed, October 6, 2021 2:35 pm, David Lang wrote:
> > >> $template foo,"%$myhostname%/n"
> > >> /var/log/myhostname;foo
> > >>
> > >> run this for a very short time as it will write a line to this file
> for
> > >> every
> > >> log message that arrives :-)
> > >>
> > >> David Lang
> > >>
> > >> On Wed, 6 Oct 2021, Derek Atkins wrote:
> > >>
> > >>> Date: Wed, 6 Oct 2021 13:45:56 -0400
> > >>> From: Derek Atkins <derek@ihtfp.com>
> > >>> To: David Lang <david@lang.hm>
> > >>> Cc: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> > >>> Subject: Re: [rsyslog] [SOLVED] Re: RSyslog thinks my machine's
> hostname
> > >>> is
> > >>> "127.0.0.1"?
> > >>>
> > >>> David,
> > >>>
> > >>> I am happy to revert back to the uclibc installation and feed you
> data,
> > >>> if
> > >>> you can give me what to copy-and-paste into my rsyslogd.conf file?
> > >>>
> > >>> -derek
> > >>>
> > >>> On Wed, October 6, 2021 1:43 pm, David Lang wrote:
> > >>>> I believe that rsyslog uses the gethostbyname() call to convert the
> IP
> > >>>> to
> > >>>> name
> > >>>>
> > >>>> it would also be interesting to create a custom templete with
> > >>>> %$myhostname% in
> > >>>> it and see what that returns.
> > >>>>
> > >>>> I'm not sure if in this case, rsyslog is seeing that there is no
> > >>>> hostname
> > >>>> in the
> > >>>> message and using $myhostname (and that is wrong) or if it's trying
> to
> > >>>> resolve
> > >>>> 127.0.0.1 and that's failing (I suspect that it's the $myhostname
> > >>>> that's
> > >>>> wrong)
> > >>>>
> > >>>> If we can identify what's happening, we can then try to create a
> fix.
> > >>>> It
> > >>>> would
> > >>>> be nice to support non-glibc builds
> > >>>>
> > >>>> David Lang
> > >>>>
> > >>>>
> > >>>> On Wed, 6 Oct 2021, Derek Atkins via rsyslog wrote:
> > >>>>
> > >>>>> I just rebuilt the Arm platform with GLibc and.... syslog is
> working.
> > >>>>> So I will go and blame uclibc for the bug.
> > >>>>>
> > >>>>> Thank you for getting me to look more closely (and pointing out
> that
> > >>>>> the
> > >>>>> issue is that rsyslogd was not getting a valid hostname).
> > >>>>>
> > >>>>> Thanks all!
> > >>>>>
> > >>>>> -derek
> > >>>>>
> > >>>>> On Wed, October 6, 2021 8:36 am, Derek Atkins via rsyslog wrote:
> > >>>>>> Good morning,
> > >>>>>>
> > >>>>>> Thank you for your help so far.
> > >>>>>>
> > >>>>>> I just wanted to add one more piece of data, on my other host
> > >>>>>> (compiled
> > >>>>>> in
> > >>>>>> the same way from the same source in the same BuildRoot manner,
> but
> > >>>>>> on
> > >>>>>> a
> > >>>>>> different platform), I get what I would expect:
> > >>>>>>
> > >>>>>> Debug line with all properties:
> > >>>>>> FROMHOST: 'nios2', fromhost-ip: '127.0.0.1', HOSTNAME: 'nios2',
> PRI:
> > >>>>>> 46,
> > >>>>>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> > >>>>>> 'rsyslogd',
> > >>>>>> PROCID: '-', MSGID: '-',
> > >>>>>> TIMESTAMP: 'Oct 6 12:27:44', STRUCTURED-DATA: '-',
> > >>>>>> msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> x-pid="1780"
> > >>>>>> x-info="https://www.rsyslog.com"] start'
> > >>>>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> > >>>>>> x-pid="1780" x-info="https://www.rsyslog.com"] start'
> > >>>>>> inputname: imuxsock rawmsg: '<46>Oct 6 12:27:44 rsyslogd: [.origin
> > >>>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="1780"
> > >>>>>> x-info="https://www.rsyslog.com"] start'
> > >>>>>> $!:
> > >>>>>> $.:
> > >>>>>> $/:
> > >>>>>>
> > >>>>>> So ... FROMHOST and HOSTNAME are clearly correct here. So I
> guess my
> > >>>>>> question is, what APIs are rsyslogd using to try to obtain this
> > >>>>>> information? I can certainly compile additional test code and
> run it
> > >>>>>> if
> > >>>>>> necessary. I just find it odd that the *host* knows its name but
> > >>>>>> rsyslogd
> > >>>>>> can't figure it out?
> > >>>>>>
> > >>>>>> Actually, looking a little closer, I noticed that I'm using
> uclibc on
> > >>>>>> the
> > >>>>>> arm platform (the broken one), but glibc on the nios2. I wonder
> if
> > >>>>>> this
> > >>>>>> is the issue?
> > >>>>>>
> > >>>>>> -derek
> > >>>>>>
> > >>>>>> On Tue, October 5, 2021 9:13 pm, Derek Atkins via rsyslog wrote:
> > >>>>>>> As I said in my OP:
> > >>>>>>>
> > >>>>>>> # hostname
> > >>>>>>> arm-host
> > >>>>>>>
> > >>>>>>> and from this query:
> > >>>>>>>
> > >>>>>>> # cat /etc/hosts
> > >>>>>>> 127.0.0.1 localhost
> > >>>>>>> 127.0.1.1 arm-host
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> However, as I also stated in my OP, I another another machine on
> a
> > >>>>>>> nios2
> > >>>>>>> with the exact same configuration and there the log messages say
> the
> > >>>>>>> correct hostname.
> > >>>>>>>
> > >>>>>>> -derek
> > >>>>>>>
> > >>>>>>> On Tue, October 5, 2021 8:52 pm, David Lang wrote:
> > >>>>>>>> what is in /etc/hosts and what do you get if you run the command
> > >>>>>>>> hostname?
> > >>>>>>>>
> > >>>>>>>> rsyslog gets fromhost by doing a name lookup of the fromhost-ip
> > >>>>>>>>
> > >>>>>>>> the log message you received (as seen by the rawmsg: section)
> does
> > >>>>>>>> not
> > >>>>>>>> provide a
> > >>>>>>>> hostname (which could have been the problem)
> > >>>>>>>>
> > >>>>>>>> so based on this, the problem is with name resolution, which
> should
> > >>>>>>>> start
> > >>>>>>>> with
> > >>>>>>>> /etc/hosts and hostname
> > >>>>>>>>
> > >>>>>>>> David Lang
> > >>>>>>>>
> > >>>>>>>> On Tue, 5 Oct 2021, Derek Atkins wrote:
> > >>>>>>>>
> > >>>>>>>>> Date: Tue, 5 Oct 2021 20:28:34 -0400
> > >>>>>>>>> From: Derek Atkins <derek@ihtfp.com>
> > >>>>>>>>> To: David Lang <david@lang.hm>
> > >>>>>>>>> Cc: rsyslog@lists.adiscon.com
> > >>>>>>>>> Subject: Re: [rsyslog] RSyslog thinks my machine's hostname is
> > >>>>>>>>> "127.0.0.1"?
> > >>>>>>>>>
> > >>>>>>>>> Hi,
> > >>>>>>>>>
> > >>>>>>>>> Thank you for the quick response.
> > >>>>>>>>>
> > >>>>>>>>> The logging here is all done locally, and the issue is in EVERY
> > >>>>>>>>> log
> > >>>>>>>>> message. The source is local (a call to vsyslog() in an
> > >>>>>>>>> application),
> > >>>>>>>>> or
> > >>>>>>>>> even just a call to "logger". Here is the resulting log
> message
> > >>>>>>>>> from
> > >>>>>>>>> rsyslogd starting up:
> > >>>>>>>>>
> > >>>>>>>>> Debug line with all properties:
> > >>>>>>>>> FROMHOST: '127', fromhost-ip: '127.0.0.1', HOSTNAME: '127',
> PRI:
> > >>>>>>>>> 46,
> > >>>>>>>>> syslogtag 'syslog:', programname: 'syslog', APP-NAME: 'syslog',
> > >>>>>>>>> PROCID:
> > >>>>>>>>> '-', MSGID: '-',
> > >>>>>>>>> TIMESTAMP: 'Oct 6 00:14:18', STRUCTURED-DATA: '-',
> > >>>>>>>>> msg: ' [.origin software="rsyslogd" swVersion="8.2010.0"
> > >>>>>>>>> x-pid="17368"
> > >>>>>>>>> x-info="https://www.rsyslog.com"] start'
> > >>>>>>>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.2010.0"
> > >>>>>>>>> x-pid="17368" x-info="https://www.rsyslog.com"] start'
> > >>>>>>>>> inputname: imuxsock rawmsg: '<46>Oct 6 00:14:18 syslog:
> [origin
> > >>>>>>>>> software="rsyslogd" swVersion="8.2010.0" x-pid="17368"
> > >>>>>>>>> x-info="https://www.rsyslog.com"] start'
> > >>>>>>>>> $!:
> > >>>>>>>>> $.:
> > >>>>>>>>> $/:
> > >>>>>>>>>
> > >>>>>>>>> So... no clue where "FROMHOST" or "HOSTNAME" are coming from
> here,
> > >>>>>>>>> but
> > >>>>>>>>> my
> > >>>>>>>>> guess that's the problem?
> > >>>>>>>>>
> > >>>>>>>>> I can run the same config on the nios2 if you want to see what
> it
> > >>>>>>>>> says,
> > >>>>>>>>> but my guess is that FROMHOST and HOSTNAME are going to both be
> > >>>>>>>>> "nios2"
> > >>>>>>>>> instead of "127".
> > >>>>>>>>>
> > >>>>>>>>> The contents of /etc/hosts is effectively the same on both
> > >>>>>>>>> machines
> > >>>>>>>>> (the
> > >>>>>>>>> one that works correctly and this one).
> > >>>>>>>>>
> > >>>>>>>>> Thanks,
> > >>>>>>>>>
> > >>>>>>>>> -derek
> > >>>>>>>>>
> > >>>>>>>>> On Tue, October 5, 2021 6:16 pm, David Lang wrote:
> > >>>>>>>>>> please log with the template RSYSLOG_DebugFormat so that we
> can
> > >>>>>>>>>> see
> > >>>>>>>>>> exactly what
> > >>>>>>>>>> rsyslog is being sent for a problem message.
> > >>>>>>>>>>
> > >>>>>>>>>> David Lang
> > >>>>>>>>>>
> > >>>>>>>>>> On Tue, 5 Oct 2021, Derek Atkins via rsyslog wrote:
> > >>>>>>>>>>
> > >>>>>>>>>>> Date: Tue, 5 Oct 2021 15:58:07 -0400
> > >>>>>>>>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> > >>>>>>>>>>> To: rsyslog@lists.adiscon.com
> > >>>>>>>>>>> Cc: Derek Atkins <derek@ihtfp.com>
> > >>>>>>>>>>> Subject: [rsyslog] RSyslog thinks my machine's hostname is
> > >>>>>>>>>>> "127.0.0.1"?
> > >>>>>>>>>>>
> > >>>>>>>>>>> Hi,
> > >>>>>>>>>>>
> > >>>>>>>>>>> I'm using rsyslog in a BuildRoot environment. I've built it
> on
> > >>>>>>>>>>> two
> > >>>>>>>>>>> different platforms (nios2 and arm). The Nios2 platform
> works
> > >>>>>>>>>>> great.
> > >>>>>>>>>>> However, on the Arm platform, rsyslog seems to think the
> local
> > >>>>>>>>>>> hostname
> > >>>>>>>>>>> is
> > >>>>>>>>>>> "127.0.0.1". Why do I think that? Well, /var/log/messages
> > >>>>>>>>>>> contains:
> > >>>>>>>>>>>
> > >>>>>>>>>>> Oct 5 19:34:25 127 syslog: [.origin software="rsyslogd"
> > >>>>>>>>>>> swVersion="8.2010.0" x-pid="8080"
> > >>>>>>>>>>> x-info="https://www.rsyslog.com"]
> > >>>>>>>>>>> start
> > >>>>>>>>>>>
> > >>>>>>>>>>> Notice the "127" in there? That's where the "hostname" is
> > >>>>>>>>>>> supposed
> > >>>>>>>>>>> to
> > >>>>>>>>>>> be.
> > >>>>>>>>>>> So if for some reason it thinks the FQDN is an IP address,
> that
> > >>>>>>>>>>> would
> > >>>>>>>>>>> explain why this is doing that. But that's weird, because:
> > >>>>>>>>>>>
> > >>>>>>>>>>> # hostname
> > >>>>>>>>>>> arm-host
> > >>>>>>>>>>>
> > >>>>>>>>>>> Moreover, if I compile and run the code to execute a
> > >>>>>>>>>>> "gethostbyname()"
> > >>>>>>>>>>> it
> > >>>>>>>>>>> also returns "arm-host". So I have no idea where it's
> getting
> > >>>>>>>>>>> the
> > >>>>>>>>>>> idea
> > >>>>>>>>>>> that the hostname/FQDN is an IP Address.
> > >>>>>>>>>>>
> > >>>>>>>>>>> I'll note that on the Nios2 this works as expected:
> > >>>>>>>>>>>
> > >>>>>>>>>>> Sep 30 19:28:41 nios2 rsyslogd: [.origin software="rsyslogd"
> > >>>>>>>>>>> swVersion="8.2010.0" x-pid="830"
> > >>>>>>>>>>> x-info="https://www.rsyslog.com"]
> > >>>>>>>>>>> start
> > >>>>>>>>>>>
> > >>>>>>>>>>> I'll say this is the same version of rsyslog on both systems,
> > >>>>>>>>>>> built
> > >>>>>>>>>>> with
> > >>>>>>>>>>> the same sources, and (ostensibly) with the same build-time,
> and
> > >>>>>>>>>>> definitely the same run-time configurations.
> > >>>>>>>>>>>
> > >>>>>>>>>>> I'm just at a loss for why rsyslog might be doing this, and
> I'm
> > >>>>>>>>>>> not
> > >>>>>>>>>>> sure
> > >>>>>>>>>>> where else to look.
> > >>>>>>>>>>>
> > >>>>>>>>>>> So I'm hoping you experts might be able to help me?
> > >>>>>>>>>>>
> > >>>>>>>>>>> Thanks!
> > >>>>>>>>>>>
> > >>>>>>>>>>> -derek
> > >>>>>>>>>>>
> > >>>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> --
> > >>>>>>> Derek Atkins 617-623-3745
> > >>>>>>> derek@ihtfp.com www.ihtfp.com
> > >>>>>>> Computer and Internet Security Consultant
> > >>>>>>>
> > >>>>>>> _______________________________________________
> > >>>>>>> rsyslog mailing list
> > >>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >>>>>>> http://www.rsyslog.com/professional-services/
> > >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > >>>>>>> myriad
> > >>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if
> > >>>>>>> you
> > >>>>>>> DON'T LIKE THAT.
> > >>>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>> --
> > >>>>>> Derek Atkins 617-623-3745
> > >>>>>> derek@ihtfp.com www.ihtfp.com
> > >>>>>> Computer and Internet Security Consultant
> > >>>>>>
> > >>>>>> _______________________________________________
> > >>>>>> rsyslog mailing list
> > >>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >>>>>> http://www.rsyslog.com/professional-services/
> > >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > >>>>>> myriad
> > >>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> > >>>>>> you
> > >>>>>> DON'T LIKE THAT.
> > >>>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>>
> > >>>
> > >>
> > >
> > >
> > >
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> rsyslog mailing list
> rsyslog@lists.adiscon.com
> https://lists.adiscon.net/mailman/listinfo/rsyslog
>
>
> ------------------------------
>
> End of rsyslog Digest, Vol 172, Issue 1
> ***************************************
>


--
regards,
Simon Long
IT Consultant
mob: 0421-645-350
email: braininarobot@gmail.com
Company Name: SIMON ANDREW LONG
ABN: 83 467 909 140
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rsyslog Digest, Vol 172, Issue 1 [ In reply to ]
sending unsubscribe to the mailing list doesn't work, at the bottom of the
message there is a link to how to unsubscribe, please use that.

David Lang


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.