Mailing List Archive

How to view messages
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: How to view messages [ In reply to ]
what messages are you asking about?

David Lang

On Thu, 28 Jul 2022, Singh, Radesh via rsyslog wrote:

> Subject: [rsyslog] How to view messages
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [E] Re: How to view messages [ In reply to ]
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [E] Re: How to view messages [ In reply to ]
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [E] Re: How to view messages [ In reply to ]
you can write logs in many formats. I would suggest that you log using the
template RSYSLOG_DebugFormat as it will give you lots of info, including the raw
message that rsyslog received.

David Lang

On Thu, 28 Jul 2022, Singh, Radesh wrote:

> Date: Thu, 28 Jul 2022 20:57:50 +0000
> From: "Singh, Radesh" <Radesh_Singh@csx.com>
> To: David Lang <david@lang.hm>,
> "Singh, Radesh via rsyslog" <rsyslog@lists.adiscon.com>
> Subject: Re: [E] Re: [rsyslog] How to view messages
>
>
> Hi David,
>
>  
>
> Really any message received by rsyslog, I’m wonder if there is a way to see a ‘raw’ version of that message before it is written to disk.
>
>  
>
> Radesh
>
>  
>
> From: David Lang <david@lang.hm>
> Date: Thursday, July 28, 2022 at 3:15 PM
> To: Singh, Radesh via rsyslog <rsyslog@lists.adiscon.com>
> Cc: Singh, Radesh <Radesh_Singh@csx.com>
> Subject: [E] Re: [rsyslog] How to view messages
>
> what messages are you asking about? David Lang On Thu, 28 Jul 2022, Singh, Radesh via rsyslog wrote:?? > Subject:?? [rsyslog] How to view messages
>
> what messages are you asking about?
>
>  
>
> David Lang
>
>  
>
> On Thu, 28 Jul 2022, Singh, Radesh via rsyslog wrote:
>
>  
>
> > Subject: [rsyslog] How to view messages
> ?????????????????????????????????????????????????????????????????????????????????????????????This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any
> dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this
> email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [E] Re: How to view messages [ In reply to ]
you want the RSYSLOG_DebugFormat for this.

properties are things generated/parsed by rsyslog, not part of the raw message
that was received.

David Lang

On Thu, 28 Jul 2022, Singh, Radesh wrote:

> Date: Thu, 28 Jul 2022 21:04:55 +0000
> From: "Singh, Radesh" <Radesh_Singh@csx.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>, David Lang <david@lang.hm>
> Subject: Re: [rsyslog] [E] Re: How to view messages
>
>
> I’m trying to see what the value of each property is when rsyslog receives a message from certain hosts to see if maybe something isn’t being set right.
>
>  
>
> The problem is messages get written to:
>
>  
>
> /var/remote/logs/<IP_ADDRESS>/…
>
> We’d like them to be written to:
>
> /var/remote/logs/<HOSTNAME>/
>
>  
>
> I’ve confirmed that name resolution is successful for the host sending the message, so I’m wondering if there is something with the message itself where maybe the message isn’t in the right format.
>
>  
>
> Radesh
>
>  
>
> From: rsyslog <rsyslog-bounces@lists.adiscon.com> on behalf of Singh, Radesh via rsyslog <rsyslog@lists.adiscon.com>
> Date: Thursday, July 28, 2022 at 4:58 PM
> To: David Lang <david@lang.hm>, Singh, Radesh via rsyslog <rsyslog@lists.adiscon.com>
> Cc: Singh, Radesh <Radesh_Singh@csx.com>
> Subject: Re: [rsyslog] [E] Re: How to view messages
>
> _______________________________________________ rsyslog mailing list
> https:??//urldefense.??com/v3/__https:??//lists.??adiscon.??net/mailman/listinfo/rsyslog__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DcXDNMhA$
>
>  
>
> _______________________________________________
>
> rsyslog mailing list
>
> https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo/rsyslog__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DcXDNMhA$
>
> https://urldefense.com/v3/__http://www.rsyslog.com/professional-services/__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DkJHcmcQ$
>
> What's up with rsyslog? Follow https://urldefense.com/v3/__https://twitter.com/rgerhards__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_ABUX-vjA$
>
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any
> dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this
> email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [E] Re: How to view messages [ In reply to ]
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [E] Re: How to view messages [ In reply to ]
hostname is what is in the message (unless it's malformed)

fromhost-ip is the IP that the box received the message from (if the message is
relayed from some other host, this is the last relay in the chain)

fromhost is the result of a name lookup on the receiving machine of fromhost-ip
(it could include DNS, or DNS lookups can be disabled in rsyslog and only do a
/etc/hosts lookup)

if you can show the rawmsg portion of the debug log (or at least the beginning
of it), I can see if the sender is sending a properly formatted message or if
it's malformed.

If the sender is sending a properly formed message hostname will be what the
sender put in the message, period.

David Lang

On Fri, 29 Jul 2022, Singh, Radesh wrote:

> Date: Fri, 29 Jul 2022 18:37:13 +0000
> From: "Singh, Radesh" <Radesh_Singh@csx.com>
> To: David Lang <david@lang.hm>
> Cc: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] [E] Re: How to view messages
>
>
> David,
>
>  
>
> I was able to see more of the messages using the DebugFormat, so thank you so much for that information.
>
>  
>
> Riddle me this…
>
> I see that HOSTNAME on a particular message is not the hostname as would be reported if I did a reverse DNS lookup, but instead is the IP address of the host.
>
>  
>
> Why isn’t rsyslog printing the hostname instead of IP?
>
>  
>
> Just taking a portion of a message:
>
>
> FROMHOST: '10.84.180.239', fromhost-ip: '10.84.180.239', HOSTNAME: '10.84.180.239', PRI: 189,
>
> syslogtag 'date=2022-07-29', programname: 'date=2022-07-29', APP-NAME: 'date=2022-07-29', PROCID: '-', MSGID: '-',
>
> TIMESTAMP: 'Jul 29 13:30:40',
>
>  
>
> If I do a dig -x against the IP listed in FROMHOST/FROMHOST-IP, I get a name… why isn’t that name being printed in the message?
>
>  
>
> BTW, I’m running this version of rsyslog:
> rsyslog-8.24.0-16.el7_5.4.x86_64
>
>  
>
> Thanks,
>
>  
>
> Shawn Singh
>
> Systems Architect II | Cloud Platform Services | CSX Technology
>
> 904-633-5745
>
>  
>
> “Ah… It seems I’ve offended two people at once, how fortuitous.” – Wednesday Addams
>
>  
>
> From: David Lang <david@lang.hm>
> Date: Thursday, July 28, 2022 at 6:03 PM
> To: Singh, Radesh <Radesh_Singh@csx.com>
> Cc: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] [E] Re: How to view messages
>
> you want the RSYSLOG_DebugFormat for this.?? properties are things generated/parsed by rsyslog, not part of the raw message that was received.?? David Lang On Thu, 28 Jul 2022, Singh, Radesh wrote:?? > Date:??
> Thu, 28 Jul 2022 21:??04:??55 +0000 >
>
> you want the RSYSLOG_DebugFormat for this.
>
>  
>
> properties are things generated/parsed by rsyslog, not part of the raw message
>
> that was received.
>
>  
>
> David Lang
>
>  
>
> On Thu, 28 Jul 2022, Singh, Radesh wrote:
>
>  
>
> > Date: Thu, 28 Jul 2022 21:04:55 +0000
>
> > From: "Singh, Radesh" <Radesh_Singh@csx.com>
>
> > To: rsyslog-users <rsyslog@lists.adiscon.com>, David Lang <david@lang.hm>
>
> > Subject: Re: [rsyslog] [E] Re:  How to view messages
>
> >
>
> >
>
> > I’m trying to see what the value of each property is when rsyslog receives a message from certain hosts to see if maybe something isn’t being set right.
>
> >
>
> >  
>
> >
>
> > The problem is messages get written to:
>
> >
>
> >  
>
> >
>
> > /var/remote/logs/<IP_ADDRESS>/…
>
> >
>
> > We’d like them to be written to:
>
> >
>
> > /var/remote/logs/<HOSTNAME>/
>
> >
>
> >  
>
> >
>
> > I’ve confirmed that name resolution is successful for the host sending the message, so I’m wondering if there is something with the message itself where maybe the message isn’t in the right format.
>
> >
>
> >  
>
> >
>
> > Radesh
>
> >
>
> >  
>
> >
>
> > From: rsyslog <rsyslog-bounces@lists.adiscon.com> on behalf of Singh, Radesh via rsyslog <rsyslog@lists.adiscon.com>
>
> > Date: Thursday, July 28, 2022 at 4:58 PM
>
> > To: David Lang <david@lang.hm>, Singh, Radesh via rsyslog <rsyslog@lists.adiscon.com>
>
> > Cc: Singh, Radesh <Radesh_Singh@csx.com>
>
> > Subject: Re: [rsyslog] [E] Re: How to view messages
>
> >
>
> > _______________________________________________ rsyslog mailing list
>
> > https:??//urldefense.??com/v3/__https:??//lists.??adiscon.??net/mailman/listinfo/rsyslog__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DcXDNMhA$
>
> >
>
> >  
>
> >
>
> > _______________________________________________
>
> >
>
> > rsyslog mailing list
>
> >
>
> > https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo/rsyslog__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DcXDNMhA$
>
> >
>
> > https://urldefense.com/v3/__http://www.rsyslog.com/professional-services/__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DkJHcmcQ$
>
> >
>
> > What's up with rsyslog? Follow https://urldefense.com/v3/__https://twitter.com/rgerhards__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_ABUX-vjA$
>
> >
>
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
> > This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any
>
> > dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received th
> is
>
> > email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address.
>
> > 
> This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any
> dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this
> email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [E] Re: How to view messages [ In reply to ]
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [E] Re: How to view messages [ In reply to ]
Ok, this is malformed, it does not have a proper timestamp or hostname in the
message (see RFC-3164 for the old format and RFC-5424 for the new format)

if you can fix the sender to properly format the message, that would be the best
option.

falling back on fromhost-ip and then looking it up in name resolution is a poor
second, but should work. make sure that you can do a nslookup of the IP

David Lang

On Fri, 29 Jul 2022, Singh, Radesh wrote:

> Date: Fri, 29 Jul 2022 20:13:32 +0000
> From: "Singh, Radesh" <Radesh_Singh@csx.com>
> To: David Lang <david@lang.hm>
> Cc: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] [E] Re: How to view messages
>
>
> Here’s a snip from the rawmsg portion:
>
>  
>
> rawmsg: '<189>date=2022-07-29 time=13:30:40 devname="FWL-QTSA-P-18F-FVPN-01" devid="FG181FTK21901621" eventtime=1659115840206155849 tz="-0400" logid="0100040704" type="event" subtype="system"
> level="notice" 
>
>  
>
> Thanks,
>
>  
>
> Shawn Singh
>
> Systems Architect II | Cloud Platform Services | CSX Technology
>
> 904-633-5745
>
>  
>
> “Ah… It seems I’ve offended two people at once, how fortuitous.” – Wednesday Addams
>
>  
>
> From: David Lang <david@lang.hm>
> Date: Friday, July 29, 2022 at 3:27 PM
> To: Singh, Radesh <Radesh_Singh@csx.com>
> Cc: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] [E] Re: How to view messages
>
> hostname is what is in the message (unless it's malformed) fromhost-ip is the IP that the box received the message from (if the message is relayed from some other host, this is the last relay in the
> chain) fromhost is the result of a name lookup
>
> hostname is what is in the message (unless it's malformed)
>
>  
>
> fromhost-ip is the IP that the box received the message from (if the message is
>
> relayed from some other host, this is the last relay in the chain)
>
>  
>
> fromhost is the result of a name lookup on the receiving machine of fromhost-ip
>
> (it could include DNS, or DNS lookups can be disabled in rsyslog and only do a
>
> /etc/hosts lookup)
>
>  
>
> if you can show the rawmsg portion of the debug log (or at least the beginning
>
> of it), I can see if the sender is sending a properly formatted message or if
>
> it's malformed.
>
>  
>
> If the sender is sending a properly formed message hostname will be what the
>
> sender put in the message, period.
>
>  
>
> David Lang
>
>  
>
> On Fri, 29 Jul 2022, Singh, Radesh wrote:
>
>  
>
> > Date: Fri, 29 Jul 2022 18:37:13 +0000
>
> > From: "Singh, Radesh" <Radesh_Singh@csx.com>
>
> > To: David Lang <david@lang.hm>
>
> > Cc: rsyslog-users <rsyslog@lists.adiscon.com>
>
> > Subject: Re: [rsyslog] [E] Re:  How to view messages
>
> >
>
> >
>
> > David,
>
> >
>
> >  
>
> >
>
> > I was able to see more of the messages using the DebugFormat, so thank you so much for that information.
>
> >
>
> >  
>
> >
>
> > Riddle me this…
>
> >
>
> > I see that HOSTNAME on a particular message is not the hostname as would be reported if I did a reverse DNS lookup, but instead is the IP address of the host.
>
> >
>
> >  
>
> >
>
> > Why isn’t rsyslog printing the hostname instead of IP?
>
> >
>
> >  
>
> >
>
> > Just taking a portion of a message:
>
> >
>
> >
>
> > FROMHOST: 'https://urldefense.com/v3/__http://10.84.180.239__;!!Cboii82wLg!C5nyYUENemOqynaE3ExPTK2-GQI5BoguJynA7YJ8aFFkiuKyf-rUxmlHdwtTDGsg3COtcNMdVhdV9QE$ ', fromhost-ip: 'https://urldefense.com/v3/
> __http://10.84.180.239__;!!Cboii82wLg!C5nyYUENemOqynaE3ExPTK2-GQI5BoguJynA7YJ8aFFkiuKyf-rUxmlHdwtTDGsg3COtcNMdVhdV9QE$ ', HOSTNAME: 'https://urldefense.com/v3/__http://10.84.180.239__;!!Cboii82wLg!C5ny
> YUENemOqynaE3ExPTK2-GQI5BoguJynA7YJ8aFFkiuKyf-rUxmlHdwtTDGsg3COtcNMdVhdV9QE$ ', PRI: 189,
>
> >
>
> > syslogtag 'date=2022-07-29', programname: 'date=2022-07-29', APP-NAME: 'date=2022-07-29', PROCID: '-', MSGID: '-',
>
> >
>
> > TIMESTAMP: 'Jul 29 13:30:40',
>
> >
>
> >  
>
> >
>
> > If I do a dig -x against the IP listed in FROMHOST/FROMHOST-IP, I get a name… why isn’t that name being printed in the message?
>
> >
>
> >  
>
> >
>
> > BTW, I’m running this version of rsyslog:
>
> > rsyslog-8.24.0-16.el7_5.4.x86_64
>
> >
>
> >  
>
> >
>
> > Thanks,
>
> >
>
> >  
>
> >
>
> > Shawn Singh
>
> >
>
> > Systems Architect II | Cloud Platform Services | CSX Technology
>
> >
>
> > 904-633-5745
>
> >
>
> >  
>
> >
>
> > “Ah… It seems I’ve offended two people at once, how fortuitous.” – Wednesday Addams
>
> >
>
> >  
>
> >
>
> > From: David Lang <david@lang.hm>
>
> > Date: Thursday, July 28, 2022 at 6:03 PM
>
> > To: Singh, Radesh <Radesh_Singh@csx.com>
>
> > Cc: rsyslog-users <rsyslog@lists.adiscon.com>
>
> > Subject: Re: [rsyslog] [E] Re: How to view messages
>
> >
>
> > you want the RSYSLOG_DebugFormat for this.?? properties are things generated/parsed by rsyslog, not part of the raw message that was received.?? David Lang On Thu, 28 Jul 2022, Singh, Radesh wrote:?? > Dat
> e:??
>
> > Thu, 28 Jul 2022 21:??04:??55 +0000 >
>
> >
>
> > you want the RSYSLOG_DebugFormat for this.
>
> >
>
> >  
>
> >
>
> > properties are things generated/parsed by rsyslog, not part of the raw message
>
> >
>
> > that was received.
>
> >
>
> >  
>
> >
>
> > David Lang
>
> >
>
> >  
>
> >
>
> > On Thu, 28 Jul 2022, Singh, Radesh wrote:
>
> >
>
> >  
>
> >
>
> > > Date: Thu, 28 Jul 2022 21:04:55 +0000
>
> >
>
> > > From: "Singh, Radesh" <Radesh_Singh@csx.com>
>
> >
>
> > > To: rsyslog-users <rsyslog@lists.adiscon.com>, David Lang <david@lang.hm>
>
> >
>
> > > Subject: Re: [rsyslog] [E] Re:  How to view messages
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > I’m trying to see what the value of each property is when rsyslog receives a message from certain hosts to see if maybe something isn’t being set right.
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > The problem is messages get written to:
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > /var/remote/logs/<IP_ADDRESS>/…
>
> >
>
> > >
>
> >
>
> > > We’d like them to be written to:
>
> >
>
> > >
>
> >
>
> > > /var/remote/logs/<HOSTNAME>/
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > I’ve confirmed that name resolution is successful for the host sending the message, so I’m wondering if there is something with the message itself where maybe the message isn’t in the right format.
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > Radesh
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > From: rsyslog <rsyslog-bounces@lists.adiscon.com> on behalf of Singh, Radesh via rsyslog <rsyslog@lists.adiscon.com>
>
> >
>
> > > Date: Thursday, July 28, 2022 at 4:58 PM
>
> >
>
> > > To: David Lang <david@lang.hm>, Singh, Radesh via rsyslog <rsyslog@lists.adiscon.com>
>
> >
>
> > > Cc: Singh, Radesh <Radesh_Singh@csx.com>
>
> >
>
> > > Subject: Re: [rsyslog] [E] Re: How to view messages
>
> >
>
> > >
>
> >
>
> > > _______________________________________________ rsyslog mailing list
>
> >
>
> > > https:??//urldefense.??com/v3/__https:??//lists.??adiscon.??net/mailman/listinfo/rsyslog__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DcXDNMhA$
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > _______________________________________________
>
> >
>
> > >
>
> >
>
> > > rsyslog mailing list
>
> >
>
> > >
>
> >
>
> > > https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo/rsyslog__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DcXDNMhA$
>
> >
>
> > >
>
> >
>
> > > https://urldefense.com/v3/__http://www.rsyslog.com/professional-services/__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DkJHcmcQ$
>
> >
>
> > >
>
> >
>
> > > What's up with rsyslog? Follow https://urldefense.com/v3/__https://twitter.com/rgerhards__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_ABUX-vjA$
>
> >
>
> > >
>
> >
>
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
> >
>
> > > This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any
>
> >
>
> > > dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received
> th
>
> > is
>
> >
>
> > > email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address.
>
> >
>
> > > 
>
> > This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any
>
> > dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received th
> is
>
> > email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address.
>
> > 
> This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any
> dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this
> email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [E] Re: How to view messages [ In reply to ]
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [E] Re: How to view messages [ In reply to ]
ahh, I use fortinets at $work, when you are configuring them, there is a
checkbox to enable 'bsd_syslog' format, check that and it puts the RFC3164
header on the messages, that will make things work much better.

David Lang

On Fri, 29 Jul 2022, Singh, Radesh wrote:

> David,
>
>  
>
> Thanks for your feedback!
>
> I was just reading S6.2.4 of https://datatracker.ietf.org/doc/html/rfc5424#section-6.2.4 and realize the sender should have provided the HOSTNAME.
>
> This makes sense (in hindsight). It would place a performance hit on the rsyslog server if the rsyslog server had to resolve names…
>
> So it seems the sender (Fortinet, in this case) is sending HOSTNAME as an IP, leading to the issue we’re seeing.
>
>  
>
> As always, thanks for your help!
>
>  
>
> Shawn Singh
>
> Systems Architect II | Cloud Platform Services | CSX Technology
>
> 904-633-5745
>
>  
>
> “Ah… It seems I’ve offended two people at once, how fortuitous.” – Wednesday Addams
>
>  
>
> From: David Lang <david@lang.hm>
> Date: Friday, July 29, 2022 at 4:21 PM
> To: Singh, Radesh <Radesh_Singh@csx.com>
> Cc: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] [E] Re: How to view messages
>
> Ok, this is malformed, it does not have a proper timestamp or hostname in the message (see RFC-3164 for the old format and RFC-5424 for the new format) if you can fix the sender to properly format the
> message, that would be the best option.??
>
> Ok, this is malformed, it does not have a proper timestamp or hostname in the
>
> message (see RFC-3164 for the old format and RFC-5424 for the new format)
>
>  
>
> if you can fix the sender to properly format the message, that would be the best
>
> option.
>
>  
>
> falling back on fromhost-ip and then looking it up in name resolution is a poor
>
> second, but should work. make sure that you can do a nslookup of the IP
>
>  
>
> David Lang
>
>  
>
> On Fri, 29 Jul 2022, Singh, Radesh wrote:
>
>  
>
> > Date: Fri, 29 Jul 2022 20:13:32 +0000
>
> > From: "Singh, Radesh" <Radesh_Singh@csx.com>
>
> > To: David Lang <david@lang.hm>
>
> > Cc: rsyslog-users <rsyslog@lists.adiscon.com>
>
> > Subject: Re: [rsyslog] [E] Re:  How to view messages
>
> >
>
> >
>
> > Here’s a snip from the rawmsg portion:
>
> >
>
> >  
>
> >
>
> > rawmsg: '<189>date=2022-07-29 time=13:30:40 devname="FWL-QTSA-P-18F-FVPN-01" devid="FG181FTK21901621" eventtime=1659115840206155849 tz="-0400" logid="0100040704" type="event" subtype="system"
>
> > level="notice" 
>
> >
>
> >  
>
> >
>
> > Thanks,
>
> >
>
> >  
>
> >
>
> > Shawn Singh
>
> >
>
> > Systems Architect II | Cloud Platform Services | CSX Technology
>
> >
>
> > 904-633-5745
>
> >
>
> >  
>
> >
>
> > “Ah… It seems I’ve offended two people at once, how fortuitous.” – Wednesday Addams
>
> >
>
> >  
>
> >
>
> > From: David Lang <david@lang.hm>
>
> > Date: Friday, July 29, 2022 at 3:27 PM
>
> > To: Singh, Radesh <Radesh_Singh@csx.com>
>
> > Cc: rsyslog-users <rsyslog@lists.adiscon.com>
>
> > Subject: Re: [rsyslog] [E] Re: How to view messages
>
> >
>
> > hostname is what is in the message (unless it's malformed) fromhost-ip is the IP that the box received the message from (if the message is relayed from some other host, this is the last relay in the
>
> > chain) fromhost is the result of a name lookup
>
> >
>
> > hostname is what is in the message (unless it's malformed)
>
> >
>
> >  
>
> >
>
> > fromhost-ip is the IP that the box received the message from (if the message is
>
> >
>
> > relayed from some other host, this is the last relay in the chain)
>
> >
>
> >  
>
> >
>
> > fromhost is the result of a name lookup on the receiving machine of fromhost-ip
>
> >
>
> > (it could include DNS, or DNS lookups can be disabled in rsyslog and only do a
>
> >
>
> > /etc/hosts lookup)
>
> >
>
> >  
>
> >
>
> > if you can show the rawmsg portion of the debug log (or at least the beginning
>
> >
>
> > of it), I can see if the sender is sending a properly formatted message or if
>
> >
>
> > it's malformed.
>
> >
>
> >  
>
> >
>
> > If the sender is sending a properly formed message hostname will be what the
>
> >
>
> > sender put in the message, period.
>
> >
>
> >  
>
> >
>
> > David Lang
>
> >
>
> >  
>
> >
>
> > On Fri, 29 Jul 2022, Singh, Radesh wrote:
>
> >
>
> >  
>
> >
>
> > > Date: Fri, 29 Jul 2022 18:37:13 +0000
>
> >
>
> > > From: "Singh, Radesh" <Radesh_Singh@csx.com>
>
> >
>
> > > To: David Lang <david@lang.hm>
>
> >
>
> > > Cc: rsyslog-users <rsyslog@lists.adiscon.com>
>
> >
>
> > > Subject: Re: [rsyslog] [E] Re:  How to view messages
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > David,
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > I was able to see more of the messages using the DebugFormat, so thank you so much for that information.
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > Riddle me this…
>
> >
>
> > >
>
> >
>
> > > I see that HOSTNAME on a particular message is not the hostname as would be reported if I did a reverse DNS lookup, but instead is the IP address of the host.
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > Why isn’t rsyslog printing the hostname instead of IP?
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > Just taking a portion of a message:
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > FROMHOST: 'https://urldefense.com/v3/__http://10.84.180.239__;!!Cboii82wLg!C5nyYUENemOqynaE3ExPTK2-GQI5BoguJynA7YJ8aFFkiuKyf-rUxmlHdwtTDGsg3COtcNMdVhdV9QE$ ', fromhost-ip: 'https://urldefense.com/v
> 3/
>
> > __https://urldefense.com/v3/__http://10.84.180.239__;!!Cboii82wLg!C5nyYUENemOqynaE3ExPTK2-GQI5BoguJynA7YJ8aFFkiuKyf-rUxmlHdwtTDGsg3COtcNMdVhdV9QE$__;!!Cboii82wLg!GKqhzwPfJQ2ooPbjmPttqH47bx0qzFYBC79QQ
> EQtV5iJ-DP_EnUOj5VDKAek2qfR8Xg0fMmSLEYYD-E$  ', HOSTNAME: 'https://urldefense.com/v3/__http://10.84.180.239__;!!Cboii82wLg!C5ny
>
> > YUENemOqynaE3ExPTK2-GQI5BoguJynA7YJ8aFFkiuKyf-rUxmlHdwtTDGsg3COtcNMdVhdV9QE$ ', PRI: 189,
>
> >
>
> > >
>
> >
>
> > > syslogtag 'date=2022-07-29', programname: 'date=2022-07-29', APP-NAME: 'date=2022-07-29', PROCID: '-', MSGID: '-',
>
> >
>
> > >
>
> >
>
> > > TIMESTAMP: 'Jul 29 13:30:40',
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > If I do a dig -x against the IP listed in FROMHOST/FROMHOST-IP, I get a name… why isn’t that name being printed in the message?
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > BTW, I’m running this version of rsyslog:
>
> >
>
> > > rsyslog-8.24.0-16.el7_5.4.x86_64
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > Thanks,
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > Shawn Singh
>
> >
>
> > >
>
> >
>
> > > Systems Architect II | Cloud Platform Services | CSX Technology
>
> >
>
> > >
>
> >
>
> > > 904-633-5745
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > “Ah… It seems I’ve offended two people at once, how fortuitous.” – Wednesday Addams
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > From: David Lang <david@lang.hm>
>
> >
>
> > > Date: Thursday, July 28, 2022 at 6:03 PM
>
> >
>
> > > To: Singh, Radesh <Radesh_Singh@csx.com>
>
> >
>
> > > Cc: rsyslog-users <rsyslog@lists.adiscon.com>
>
> >
>
> > > Subject: Re: [rsyslog] [E] Re: How to view messages
>
> >
>
> > >
>
> >
>
> > > you want the RSYSLOG_DebugFormat for this.?? properties are things generated/parsed by rsyslog, not part of the raw message that was received.?? David Lang On Thu, 28 Jul 2022, Singh, Radesh wrote:?? > D
> at
>
> > e:??
>
> >
>
> > > Thu, 28 Jul 2022 21:??04:??55 +0000 >
>
> >
>
> > >
>
> >
>
> > > you want the RSYSLOG_DebugFormat for this.
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > properties are things generated/parsed by rsyslog, not part of the raw message
>
> >
>
> > >
>
> >
>
> > > that was received.
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > David Lang
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > On Thu, 28 Jul 2022, Singh, Radesh wrote:
>
> >
>
> > >
>
> >
>
> > >  
>
> >
>
> > >
>
> >
>
> > > > Date: Thu, 28 Jul 2022 21:04:55 +0000
>
> >
>
> > >
>
> >
>
> > > > From: "Singh, Radesh" <Radesh_Singh@csx.com>
>
> >
>
> > >
>
> >
>
> > > > To: rsyslog-users <rsyslog@lists.adiscon.com>, David Lang <david@lang.hm>
>
> >
>
> > >
>
> >
>
> > > > Subject: Re: [rsyslog] [E] Re:  How to view messages
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > I’m trying to see what the value of each property is when rsyslog receives a message from certain hosts to see if maybe something isn’t being set right.
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > >  
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > The problem is messages get written to:
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > >  
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > /var/remote/logs/<IP_ADDRESS>/…
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > We’d like them to be written to:
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > /var/remote/logs/<HOSTNAME>/
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > >  
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > I’ve confirmed that name resolution is successful for the host sending the message, so I’m wondering if there is something with the message itself where maybe the message isn’t in the right forma
> t.
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > >  
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > Radesh
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > >  
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > From: rsyslog <rsyslog-bounces@lists.adiscon.com> on behalf of Singh, Radesh via rsyslog <rsyslog@lists.adiscon.com>
>
> >
>
> > >
>
> >
>
> > > > Date: Thursday, July 28, 2022 at 4:58 PM
>
> >
>
> > >
>
> >
>
> > > > To: David Lang <david@lang.hm>, Singh, Radesh via rsyslog <rsyslog@lists.adiscon.com>
>
> >
>
> > >
>
> >
>
> > > > Cc: Singh, Radesh <Radesh_Singh@csx.com>
>
> >
>
> > >
>
> >
>
> > > > Subject: Re: [rsyslog] [E] Re: How to view messages
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > _______________________________________________ rsyslog mailing list
>
> >
>
> > >
>
> >
>
> > > > https:??//urldefense.??com/v3/__https:??//lists.??adiscon.??net/mailman/listinfo/rsyslog__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DcXDNMhA$
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > >  
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > _______________________________________________
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > rsyslog mailing list
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo/rsyslog__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DcXDNMhA$
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > https://urldefense.com/v3/__http://www.rsyslog.com/professional-services/__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_DkJHcmcQ$
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > What's up with rsyslog? Follow https://urldefense.com/v3/__https://twitter.com/rgerhards__;!!Cboii82wLg!Aljtd6YixmXRf0TNbiSbCwGRYL322HphLiIFgDY6kSdPBwkjUn55eQGyu7mXVkXFqLHIP4jUvPuUL_ABUX-vjA$
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
> >
>
> > >
>
> >
>
> > > > This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any
>
> >
>
> > >
>
> >
>
> > > > dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have receive
> d
>
> > th
>
> >
>
> > > is
>
> >
>
> > >
>
> >
>
> > > > email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address.
>
> >
>
> > >
>
> >
>
> > > > 
>
> >
>
> > > This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any
>
> >
>
> > > dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received
> th
>
> > is
>
> >
>
> > > email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address.
>
> >
>
> > > 
>
> > This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any
>
> > dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received th
> is
>
> > email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address.
>
> > 
> This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any
> dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this
> email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [E] Re: How to view messages [ In reply to ]
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.