Mailing List Archive

Do the jails all share the same hostname and IP? If not, you should be
able to use the %hostname% or %fromhost% properties.

If so, are they each running their own instance of (r)syslogd?

-HKS

On Thu, Jul 31, 2008 at 7:11 AM, David Darville
<ml at darville.vm.bytemark.co.uk> wrote:
> Hello everyone
>
> I am trying to configure rsyslog to service a number of chroot jails in
> addition to the host itself.
>
> But I need to change the hostname field of the syslog messages from the
> different jails, so that I place them in the right log file on the central
> logging host.
>
> My current rsyslog.conf is as follows:
>
> $ModLoad imuxsock
> $ModLoad imklog
> $ModLoad immark
> $ModLoad omrelp
>
> $AddUnixListenSocket /jail/1/dev/log
> $AddUnixListenSocket /jail/2/dev/log
>
> *.* :omrelp:10.0.0.4:2514
>
>
> Can anyone please advice me on how to do that?
>
>
> ---
>
> David Darville
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

The jails all have their own unique hostname (and IP), but all share an
rsyslogd instance running on the main host, and the %hostname% and
%fromhost% in all the log messages from the jails are set to the hostname of
the main host. And that is what I want to change.

On Thu, Jul 31, 2008 at 10:00:09AM -0400, (private) HKS wrote:
> Do the jails all share the same hostname and IP? If not, you should be
> able to use the %hostname% or %fromhost% properties.
>
> If so, are they each running their own instance of (r)syslogd?
>
> -HKS
>
> On Thu, Jul 31, 2008 at 7:11 AM, David Darville
> <ml at darville.vm.bytemark.co.uk> wrote:
> > Hello everyone
> >
> > I am trying to configure rsyslog to service a number of chroot jails in
> > addition to the host itself.
> >
> > But I need to change the hostname field of the syslog messages from the
> > different jails, so that I place them in the right log file on the central
> > logging host.
> >
> > My current rsyslog.conf is as follows:
> >
> > $ModLoad imuxsock
> > $ModLoad imklog
> > $ModLoad immark
> > $ModLoad omrelp
> >
> > $AddUnixListenSocket /jail/1/dev/log
> > $AddUnixListenSocket /jail/2/dev/log
> >
> > *.* :omrelp:10.0.0.4:2514
> >
> >
> > Can anyone please advice me on how to do that?
> >
> >
> > ---
> >
> > David Darville
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

Use a template with fixed name.

--- Urspr?ngliche Nachricht ---
Von: "David Darville" <ml at darville.vm.bytemark.co.uk>
Betreff: Re: [rsyslog] Changing hostname field
Datum: 31. Juli 2008
Uhrzeit: 16:46:59

The jails all have their own unique hostname (and IP), but all share an
rsyslogd instance running on the main host, and the %hostname% and
%fromhost% in all the log messages from the jails are set to the hostname of
the main host. And that is what I want to change.

On Thu, Jul 31, 2008 at 10:00:09AM -0400, (private) HKS wrote:
> Do the jails all share the same hostname and IP? If not, you should be
> able to use the %hostname% or %fromhost% properties.
>
> If so, are they each running their own instance of (r)syslogd?
>
> -HKS
>
> On Thu, Jul 31, 2008 at 7:11 AM, David Darville
> <ml at darville.vm.bytemark.co.uk> wrote:
> > Hello everyone
> >
> > I am trying to configure rsyslog to service a number of chroot jails in
> > addition to the host itself.
> >
> > But I need to change the hostname field of the syslog messages from the
> > different jails, so that I place them in the right log file on the central
> > logging host.
> >
> > My current rsyslog.conf is as follows:
> >
> > $ModLoad imuxsock
> > $ModLoad imklog
> > $ModLoad immark
> > $ModLoad omrelp
> >
> > $AddUnixListenSocket /jail/1/dev/log
> > $AddUnixListenSocket /jail/2/dev/log
> >
> > *.* :omrelp:10.0.0.4:2514
> >
> >
> > Can anyone please advice me on how to do that?
> >
> >
> > ---
> >
> > David Darville
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog

Sorry for being brief, I was on the road and needed to write from a cell phone :(

It also looks like I was wrong ;) I have reviewed the case. If I understand correctly, you get you data from the different unix sockets and then forward via a single rule. So you can not use different templates (which most often are the real solution to any such problem, but are not obvious to most people not directly involved in rsyslog ;)).

Is my understanding correct now?

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Thursday, July 31, 2008 5:04 PM
> To: David Darville; rsyslog-users
> Subject: Re: [rsyslog] Changing hostname field
>
> Use a template with fixed name.
>
> --- Urspr?ngliche Nachricht ---
> Von: "David Darville" <ml at darville.vm.bytemark.co.uk>
> Betreff: Re: [rsyslog] Changing hostname field
> Datum: 31. Juli 2008
> Uhrzeit: 16:46:59
>
> The jails all have their own unique hostname (and IP), but all share an
> rsyslogd instance running on the main host, and the %hostname% and
> %fromhost% in all the log messages from the jails are set to the
> hostname of
> the main host. And that is what I want to change.
>
> On Thu, Jul 31, 2008 at 10:00:09AM -0400, (private) HKS wrote:
> > Do the jails all share the same hostname and IP? If not, you should
> be
> > able to use the %hostname% or %fromhost% properties.
> >
> > If so, are they each running their own instance of (r)syslogd?
> >
> > -HKS
> >
> > On Thu, Jul 31, 2008 at 7:11 AM, David Darville
> > <ml at darville.vm.bytemark.co.uk> wrote:
> > > Hello everyone
> > >
> > > I am trying to configure rsyslog to service a number of chroot
> jails in
> > > addition to the host itself.
> > >
> > > But I need to change the hostname field of the syslog messages from
> the
> > > different jails, so that I place them in the right log file on the
> central
> > > logging host.
> > >
> > > My current rsyslog.conf is as follows:
> > >
> > > $ModLoad imuxsock
> > > $ModLoad imklog
> > > $ModLoad immark
> > > $ModLoad omrelp
> > >
> > > $AddUnixListenSocket /jail/1/dev/log
> > > $AddUnixListenSocket /jail/2/dev/log
> > >
> > > *.* :omrelp:10.0.0.4:2514
> > >
> > >
> > > Can anyone please advice me on how to do that?
> > >
> > >
> > > ---
> > >
> > > David Darville
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

On Fri, Aug 01, 2008 at 07:58:10AM +0200, Rainer Gerhards wrote:
> Sorry for being brief, I was on the road and needed to write from
> a cell phone :(

Supporting rsyslog on your cell phone - you are very dedicated to you
product ;-)

> It also looks like I was wrong ;) I have reviewed the case. If I
> understand correctly, you get you data from the different unix sockets
> and then forward via a single rule. So you can not use different
> templates (which most often are the real solution to any such problem,
> but are not obvious to most people not directly involved in rsyslog ;)).
>
> Is my understanding correct now?

Yes, and then I'm splitting log messages on the dedicated log host, based on
the hostname field.

We are keeping the rsyslogd process outside the jails, to to keep the syslog
traffic on an isolated network segment.

-- David

> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Thursday, July 31, 2008 5:04 PM
> > To: David Darville; rsyslog-users
> > Subject: Re: [rsyslog] Changing hostname field
> >
> > Use a template with fixed name.
> >
> > --- Urspr?ngliche Nachricht ---
> > Von: "David Darville" <ml at darville.vm.bytemark.co.uk>
> > Betreff: Re: [rsyslog] Changing hostname field
> > Datum: 31. Juli 2008
> > Uhrzeit: 16:46:59
> >
> > The jails all have their own unique hostname (and IP), but all share an
> > rsyslogd instance running on the main host, and the %hostname% and
> > %fromhost% in all the log messages from the jails are set to the
> > hostname of
> > the main host. And that is what I want to change.
> >
> > On Thu, Jul 31, 2008 at 10:00:09AM -0400, (private) HKS wrote:
> > > Do the jails all share the same hostname and IP? If not, you should
> > be
> > > able to use the %hostname% or %fromhost% properties.
> > >
> > > If so, are they each running their own instance of (r)syslogd?
> > >
> > > -HKS
> > >
> > > On Thu, Jul 31, 2008 at 7:11 AM, David Darville
> > > <ml at darville.vm.bytemark.co.uk> wrote:
> > > > Hello everyone
> > > >
> > > > I am trying to configure rsyslog to service a number of chroot
> > jails in
> > > > addition to the host itself.
> > > >
> > > > But I need to change the hostname field of the syslog messages from
> > the
> > > > different jails, so that I place them in the right log file on the
> > central
> > > > logging host.
> > > >
> > > > My current rsyslog.conf is as follows:
> > > >
> > > > $ModLoad imuxsock
> > > > $ModLoad imklog
> > > > $ModLoad immark
> > > > $ModLoad omrelp
> > > >
> > > > $AddUnixListenSocket /jail/1/dev/log
> > > > $AddUnixListenSocket /jail/2/dev/log
> > > >
> > > > *.* :omrelp:10.0.0.4:2514
> > > >
> > > >
> > > > Can anyone please advice me on how to do that?
> > > >
> > > >
> > > > ---
> > > >
> > > > David Darville
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

Inline...

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of David Darville
> Sent: Friday, August 01, 2008 12:27 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Changing hostname field
>
> On Fri, Aug 01, 2008 at 07:58:10AM +0200, Rainer Gerhards wrote:
> > Sorry for being brief, I was on the road and needed to write from
> > a cell phone :(
>
> Supporting rsyslog on your cell phone - you are very dedicated to you
> product ;-)

Thanks - I am trying my best ;) And, if you have not already done so, I'd appreciate if you could rate rsyslog at freshmeat.net, it's just a simple click (even if you need to create an account it doesn't take long). It helps us get momentum and this is as important as code quality ;)

You can do it here (middle of the page):
http://freshmeat.net/projects/rsyslog/

>
> > It also looks like I was wrong ;) I have reviewed the case. If I
> > understand correctly, you get you data from the different unix
> sockets
> > and then forward via a single rule. So you can not use different
> > templates (which most often are the real solution to any such
> problem,
> > but are not obvious to most people not directly involved in rsyslog
> ;)).
> >
> > Is my understanding correct now?
>
> Yes, and then I'm splitting log messages on the dedicated log host,
> based on
> the hostname field.
>
> We are keeping the rsyslogd process outside the jails, to to keep the
> syslog
> traffic on an isolated network segment.

OK, that was fairly easy to do. I have created a special version for you:

http://download.rsyslog.com/rsyslog/rsyslog-3.21.2-Test1.tar.gz

It contains a new config directive that allows you to specify the hostname, see last sample on

http://www.rsyslog.com/doc-imuxsock.html

In my lab it works, but I would appreciate if you could test and verify.

Thanks,
Rainer

>
> -- David
>
> > > -----Original Message-----
> > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Thursday, July 31, 2008 5:04 PM
> > > To: David Darville; rsyslog-users
> > > Subject: Re: [rsyslog] Changing hostname field
> > >
> > > Use a template with fixed name.
> > >
> > > --- Urspr?ngliche Nachricht ---
> > > Von: "David Darville" <ml at darville.vm.bytemark.co.uk>
> > > Betreff: Re: [rsyslog] Changing hostname field
> > > Datum: 31. Juli 2008
> > > Uhrzeit: 16:46:59
> > >
> > > The jails all have their own unique hostname (and IP), but all
> share an
> > > rsyslogd instance running on the main host, and the %hostname% and
> > > %fromhost% in all the log messages from the jails are set to the
> > > hostname of
> > > the main host. And that is what I want to change.
> > >
> > > On Thu, Jul 31, 2008 at 10:00:09AM -0400, (private) HKS wrote:
> > > > Do the jails all share the same hostname and IP? If not, you
> should
> > > be
> > > > able to use the %hostname% or %fromhost% properties.
> > > >
> > > > If so, are they each running their own instance of (r)syslogd?
> > > >
> > > > -HKS
> > > >
> > > > On Thu, Jul 31, 2008 at 7:11 AM, David Darville
> > > > <ml at darville.vm.bytemark.co.uk> wrote:
> > > > > Hello everyone
> > > > >
> > > > > I am trying to configure rsyslog to service a number of chroot
> > > jails in
> > > > > addition to the host itself.
> > > > >
> > > > > But I need to change the hostname field of the syslog messages
> from
> > > the
> > > > > different jails, so that I place them in the right log file on
> the
> > > central
> > > > > logging host.
> > > > >
> > > > > My current rsyslog.conf is as follows:
> > > > >
> > > > > $ModLoad imuxsock
> > > > > $ModLoad imklog
> > > > > $ModLoad immark
> > > > > $ModLoad omrelp
> > > > >
> > > > > $AddUnixListenSocket /jail/1/dev/log
> > > > > $AddUnixListenSocket /jail/2/dev/log
> > > > >
> > > > > *.* :omrelp:10.0.0.4:2514
> > > > >
> > > > >
> > > > > Can anyone please advice me on how to do that?
> > > > >
> > > > >
> > > > > ---
> > > > >
> > > > > David Darville
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > >
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

On Fri, Aug 01, 2008 at 03:06:43PM +0200, Rainer Gerhards wrote:

> > > It also looks like I was wrong ;) I have reviewed the case. If I
> > > understand correctly, you get you data from the different unix
> > sockets
> > > and then forward via a single rule. So you can not use different
> > > templates (which most often are the real solution to any such
> > problem,
> > > but are not obvious to most people not directly involved in rsyslog
> > ;)).
> > >
> > > Is my understanding correct now?
> >
> > Yes, and then I'm splitting log messages on the dedicated log host,
> > based on
> > the hostname field.
> >
> > We are keeping the rsyslogd process outside the jails, to to keep the
> > syslog
> > traffic on an isolated network segment.
>
> OK, that was fairly easy to do. I have created a special version for you:
>
> http://download.rsyslog.com/rsyslog/rsyslog-3.21.2-Test1.tar.gz
>
> It contains a new config directive that allows you to specify the hostname, see last sample on
>
> http://www.rsyslog.com/doc-imuxsock.html
>
> In my lab it works, but I would appreciate if you could test and verify.

Thank you very much, that is extremely good service - it works perfectly.

I owe you a beer for that.......


-- David Darville

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of David Darville
> Sent: Thursday, August 07, 2008 11:13 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Changing hostname field
>
> On Fri, Aug 01, 2008 at 03:06:43PM +0200, Rainer Gerhards wrote:
>
> > > > It also looks like I was wrong ;) I have reviewed the case. If I
> > > > understand correctly, you get you data from the different unix
> > > sockets
> > > > and then forward via a single rule. So you can not use different
> > > > templates (which most often are the real solution to any such
> > > problem,
> > > > but are not obvious to most people not directly involved in
> rsyslog
> > > ;)).
> > > >
> > > > Is my understanding correct now?
> > >
> > > Yes, and then I'm splitting log messages on the dedicated log
host,
> > > based on
> > > the hostname field.
> > >
> > > We are keeping the rsyslogd process outside the jails, to to keep
> the
> > > syslog
> > > traffic on an isolated network segment.
> >
> > OK, that was fairly easy to do. I have created a special version for
> you:
> >
> > http://download.rsyslog.com/rsyslog/rsyslog-3.21.2-Test1.tar.gz
> >
> > It contains a new config directive that allows you to specify the
> hostname, see last sample on
> >
> > http://www.rsyslog.com/doc-imuxsock.html
> >
> > In my lab it works, but I would appreciate if you could test and
> verify.
>
> Thank you very much, that is extremely good service - it works
> perfectly.
>

Excellent!

> I owe you a beer for that.......

Be careful: I extremely well remember some things ;)

Rainer
>
>
> -- David Darville
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog