Mailing List Archive

forwarded rsyslog messages is getting localhost added instead of hostname
Hi,

We have a problem where a client syslog forwarded a message to the syslog
server, is getting *localhost* instead of the actual *hostname* in the logs.


*Example;Expected:*
Oct 27 17:33:46 *testclient1* <Test message>

*Getting:*
Oct 27 17:33:46 *localhost* <Test message>


Here, we are forwarding the logs from client to server via UDP port to TCP
port. Seems during handoff time from UDP to TCP, its getting localhost.

*Other Details:*
1. Platform(VM) : RHEL79.
2. rsyslogd version : 8.32.0
3. hostname : testclient1

Help in resolving this issue is greatly appreciated.

Attached complete debug logs. PFA.

Regards,

--

*Naveenkumar Hanchinamani*
Software Engineer II , Server
+91 9741919257 M (PTT)
+91 080 – 4000 5555 O
naveenkumar.mh@motorolasolutions.com
*Kodiak*, a Motorola Solutions Company
+1 972-665-0200 | kodiakptt.com | motorolasolutions.com

--


*For more information on how and why we collect your personal
information, please visit our Privacy Policy
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
Re: forwarded rsyslog messages is getting localhost added instead of hostname [ In reply to ]
8.32 is several years old, but it contains things that RedHat has backported.

In the current upstream version, this is a recently discovered bug, the
work-around is to add a globel() section into your config, what's in the global
section doesn't matter, but if there isn't one, hostname gets set incorrectly.
It's possible that RedHat backported this bug accidently.

David Lang

On Thu, 27 Oct 2022, Naveenkumar MH via rsyslog wrote:

> Hi,
>
> We have a problem where a client syslog forwarded a message to the syslog
> server, is getting *localhost* instead of the actual *hostname* in the logs.
>
>
> *Example;Expected:*
> Oct 27 17:33:46 *testclient1* <Test message>
>
> *Getting:*
> Oct 27 17:33:46 *localhost* <Test message>
>
>
> Here, we are forwarding the logs from client to server via UDP port to TCP
> port. Seems during handoff time from UDP to TCP, its getting localhost.
>
> *Other Details:*
> 1. Platform(VM) : RHEL79.
> 2. rsyslogd version : 8.32.0
> 3. hostname : testclient1
>
> Help in resolving this issue is greatly appreciated.
>
> Attached complete debug logs. PFA.
>
> Regards,
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: forwarded rsyslog messages is getting localhost added instead of hostname [ In reply to ]
Thanks David, for the response with a probable workaround.

Already we have this configuration in place in our config file like below;

### On Demand Debug
$DebugFile ##var_local_log_path##
$DebugLevel 1


*global( parser.controlCharacterEscapePrefix="#")*

*Insight:* With the same configurations, in another client it is able to
get the correct hostname instead of localhost.

Is there anything that the syslog is doing during translation from UDP to
TCP? Coz, UDP logging is getting the correct hostname in this
problematic client itself. We only see issues in TCP port while the
messages are getting forwarded to the syslog server.

As per debug logs, syslog is able to get the correct hostname "glbl.c:
GenerateLocalHostName uses '*testclient1*'" But fails to add it to the
messages while forwarding!


And also we are not formatting the logs, below is what we are doing to
forward to the syslog server:

$RuleSet auditlog1
$RulesetCreateMainQueue on
$MainMsgQueueType FixedArray
$MainMsgQueueSize 2000000
$MainMsgQueueDequeueBatchSize 1000
$MainMsgQueueWorkerThreads 2
*.* @@<syslog_server_IP>:1290
$ActionExecOnlyWhenPreviousIsSuspended on
& @@ <syslog_server_IP_fallback>:1290
$ActionExecOnlyWhenPreviousIsSuspended off


Regards,

On Thu, Oct 27, 2022 at 6:32 PM David Lang <david@lang.hm> wrote:

> 8.32 is several years old, but it contains things that RedHat has
> backported.
>
> In the current upstream version, this is a recently discovered bug, the
> work-around is to add a globel() section into your config, what's in the
> global
> section doesn't matter, but if there isn't one, hostname gets set
> incorrectly.
> It's possible that RedHat backported this bug accidently.
>
> David Lang
>
> On Thu, 27 Oct 2022, Naveenkumar MH via rsyslog wrote:
>
> > Hi,
> >
> > We have a problem where a client syslog forwarded a message to the syslog
> > server, is getting *localhost* instead of the actual *hostname* in the
> logs.
> >
> >
> > *Example;Expected:*
> > Oct 27 17:33:46 *testclient1* <Test message>
> >
> > *Getting:*
> > Oct 27 17:33:46 *localhost* <Test message>
> >
> >
> > Here, we are forwarding the logs from client to server via UDP port to
> TCP
> > port. Seems during handoff time from UDP to TCP, its getting localhost.
> >
> > *Other Details:*
> > 1. Platform(VM) : RHEL79.
> > 2. rsyslogd version : 8.32.0
> > 3. hostname : testclient1
> >
> > Help in resolving this issue is greatly appreciated.
> >
> > Attached complete debug logs. PFA.
> >
> > Regards,
> >
> >
>


--

*Naveenkumar Hanchinamani*
Software Engineer II , Server
+91 9741919257 M (PTT)
+91 080 – 4000 5555 O
naveenkumar.mh@motorolasolutions.com
*Kodiak*, a Motorola Solutions Company
+1 972-665-0200 | kodiakptt.com | motorolasolutions.com

--


*For more information on how and why we collect your personal
information, please visit our Privacy Policy
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.