Mailing List Archive

Really quick: check the HOSTNAME (or so ;)) property.

----- Urspr?ngliche Nachricht -----
Von: "Scott Baker" <bakers at web-ster.com>
An: "rsyslog-users" <rsyslog at lists.adiscon.com>
Gesendet: 24.12.07 19:10
Betreff: [rsyslog] Hostname matching with DNS

I have a couple host on private IPs 10.x.x.x and thus they have no
DNS entries. So rather that log the IP in syslog I setup host
entries for them.

If I do something like

:FROMHOST, isequal, "foobar" -?dialup

it doesn't match the /etc/hosts entry I have for foobar. If I setup
a catchall entry that goes to a test log I see the line

Dec 24 10:06:23 foobar [This is the message]

So it's logging the hostname like I would expect it to (rsyslog is
aware of the host entry) but I can't match against it? Unfortunately
my server is SUPER busy now and I can't put the server in debug mode
to check what's coming across. Is there another way I could check this?

--
Scott Baker - Canby Telcom
RHCE - System Administrator - 503.266.8253
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog

Scott,

So now a bit more in-depth: the HOSTNAME is taken form the syslog message, while FROMHOST is the last hope. There is only a difference in relay scenarios - or, like here, based on DNS resolution. This is why you see different values. The point is to match against the same one that is used in the catchall rule.

However, I think the most appropriate thing to do is add a FROMHOST-IP property, which always has the IP address of the sender, no matter if the -x option is given or not.

Would that help?

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com
> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of
> Rainer Gerhards
> Sent: Monday, December 24, 2007 7:59 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Hostname matching with DNS
>
> Really quick: check the HOSTNAME (or so ;)) property.
>
> ----- Urspr?ngliche Nachricht -----
> Von: "Scott Baker" <bakers at web-ster.com>
> An: "rsyslog-users" <rsyslog at lists.adiscon.com>
> Gesendet: 24.12.07 19:10
> Betreff: [rsyslog] Hostname matching with DNS
>
> I have a couple host on private IPs 10.x.x.x and thus they have no
> DNS entries. So rather that log the IP in syslog I setup host
> entries for them.
>
> If I do something like
>
> :FROMHOST, isequal, "foobar" -?dialup
>
> it doesn't match the /etc/hosts entry I have for foobar. If I setup
> a catchall entry that goes to a test log I see the line
>
> Dec 24 10:06:23 foobar [This is the message]
>
> So it's logging the hostname like I would expect it to (rsyslog is
> aware of the host entry) but I can't match against it? Unfortunately
> my server is SUPER busy now and I can't put the server in debug mode
> to check what's coming across. Is there another way I could
> check this?
>
> --
> Scott Baker - Canby Telcom
> RHCE - System Administrator - 503.266.8253
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

> while FROMHOST is the last hope


Lol... No, it is not my last *hope*, even though it may be for the time
being ;) That should have been "last hop". Nice typo ;)

Rainer

Rainer Gerhards wrote:
> Scott,
>
> So now a bit more in-depth: the HOSTNAME is taken form the syslog message, while FROMHOST is the last hope. There is only a difference in relay scenarios - or, like here, based on DNS resolution. This is why you see different values. The point is to match against the same one that is used in the catchall rule.
>
> However, I think the most appropriate thing to do is add a FROMHOST-IP property, which always has the IP address of the sender, no matter if the -x option is given or not.
>
> Would that help?

Ya I think a FROMHOST-IP property would be great. It'd make setting
up my rules easier. Tell me more about hosts resolution vs DNS
resolution?

I have some FROMHOST rules that work just fine, but as soon as I add
a hosts entry it stops logging. So somewhere it's using the host
entry but I can't figure out how/where or what precedence that has
over DNS.

--
Scott Baker - Canby Telcom
RHCE - System Administrator - 503.266.8253

Rsyslog doesn't do anything specific with the hosts file - it just uses the system resolver library and everything else is handled in there...

I'll have a look at hostname-ip as soon as i can.

rainer

----- Urspr?ngliche Nachricht -----
Von: "Scott Baker" <bakers at web-ster.com>
An: "rsyslog-users" <rsyslog at lists.adiscon.com>
Gesendet: 24.12.07 21:06
Betreff: Re: [rsyslog] Hostname matching with DNS

Rainer Gerhards wrote:
> Scott,
>
> So now a bit more in-depth: the HOSTNAME is taken form the syslog message, while FROMHOST is the last hope. There is only a difference in relay scenarios - or, like here, based on DNS resolution. This is why you see different values. The point is to match against the same one that is used in the catchall rule.
>
> However, I think the most appropriate thing to do is add a FROMHOST-IP property, which always has the IP address of the sender, no matter if the -x option is given or not.
>
> Would that help?

Ya I think a FROMHOST-IP property would be great. It'd make setting
up my rules easier. Tell me more about hosts resolution vs DNS
resolution?

I have some FROMHOST rules that work just fine, but as soon as I add
a hosts entry it stops logging. So somewhere it's using the host
entry but I can't figure out how/where or what precedence that has
over DNS.

--
Scott Baker - Canby Telcom
RHCE - System Administrator - 503.266.8253
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog