27

I'm trying to implement a simple centralized syslog server using stock rsyslogd (4.2.0-2ubuntu8.1) on Ubuntu 10.04 LTS. At this point I have all my client nodes sending logs to the central server, but the clients are sending log messages which contain their short hostname instead of their FQDN.

Per the Ubuntu rsyslogd manpage:

If the remote host is located in the same domain as the host, rsyslogd is running on, only the simple hostname will be logged instead of the whole fqdn.

This is problematic for me, as I am reusing short names between environments, e.g. core1.example.com and core1.stg.example.com both log their messages as core1.

Both client and server have the same /etc/default/rsyslog:

RSYSLOGD_OPTIONS="-c4"

and the same /etc/rsyslogd.conf file:

$ModLoad imuxsock
$ModLoad imklog
$PreserveFQDN on
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$IncludeConfig /etc/rsyslog.d/*.conf

Clients have this /etc/rsyslog.d/remote.conf file, telling them to send to the remote server:

*.* @@syslog.example.com

and the server uses this /etc/rsyslog.d/server.conf file:

$ModLoad imtcp
$InputTCPServerRun 514
$DirGroup root
$DirCreateMode 0755
$FileGroup root
$template PerHostAuth,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/auth.log"
$template PerHostCron,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/cron.log"
$template PerHostSyslog,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/syslog"
$template PerHostDaemon,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/daemon.log"
$template PerHostKern,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/kern.log"
$template PerHostLpr,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/lpr.log"
$template PerHostUser,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/user.log"
$template PerHostMail,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.log"
$template PerHostMailInfo,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.info"
$template PerHostMailWarn,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.warn"
$template PerHostMailErr,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.err"
$template PerHostNewsCrit,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/news.crit"
$template PerHostNewsErr,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/news.err"
$template PerHostNewsNotice,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/news.notice"
$template PerHostDebug,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/debug"
$template PerHostMessages,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/messages"
auth,authpriv.*         ?PerHostAuth
*.*;auth,authpriv.none  -?PerHostSyslog
cron.*                  ?PerHostCron
daemon.*                -?PerHostDaemon
kern.*                  -?PerHostKern
lpr.*                   -?PerHostLpr
mail.*                  -?PerHostMail
user.*                  -?PerHostUser
mail.info               -?PerHostMailInfo
mail.warn               ?PerHostMailWarn
mail.err                ?PerHostMailErr
news.crit               ?PerHostNewsCrit
news.err                ?PerHostNewsErr
news.notice             -?PerHostNewsNotice
*.=debug;\
   auth,authpriv.none;\
   news.none;mail.none   -?PerHostDebug
   *.=info;*.=notice;*.=warn;\
      auth,authpriv.none;\
      cron,daemon.none;\
      mail,news.none        -?PerHostMessages

As both client and server share a configuration which specifies "$PreserveFQDN on", I expect to see FQDN hostnames in syslog messages, but the setting seems to have had no effect. Most other settings I've found for rsyslog are aimed at stripping domains from FQDNs instead of retaining them. I think the root of the problem is that my clients do not send the FQDN in the first place, but I don't see how to force that behavior.

Can anyone comment on what I might be missing? I imagine I'm not the only person who needs FQDNs to be included in log messages.

cwjohnston
  • 536
  • 1
  • 4
  • 8
  • I have subsequently built and installed the rsyslog 4.6.4-2ubuntu4 package from Ubuntu 11.04 on my server and a subset of my client nodes, but have not observed a change in this behavior as a result. – cwjohnston May 28 '11 at 15:06

5 Answers5

45

I ran into this issue as well. Here is how I was able to fix it.

  1. On the clients modify the /etc/hosts file so the desired hostname comes before localhost.

    127.0.0.1 hostnameforlogs localhost

  2. On the clients and server modify /etc/rsyslog.conf to include this statement:

    $PreserveFQDN on

  3. On the server I used the %HOSTNAME% variable for the templates in rsyslog.conf:

Matt McMillan
  • 451
  • 4
  • 3
10

To change the hostname rsyslog sends, add the following directive as the very first line in /etc/rsyslog.conf before any modules are loaded:

$LocalHostName yourhostname

Alternatively, to have rsyslog send with the fully-qualified domain name (FQDN, such as system1.example.com) instead of simply the hostname (system1), use the directive:

$PreserveFQDN on

This is rarely needed. We recommend using the hostname (without the domain name) unless you have identically-named systems.

An alternative way to set it (that allows you to send different logs as different hostnames) is by setting a custom template:

$template MyTemplate, "<%pri%> %timestamp% MySpoofedHostName %syslogtag% %msg%\n"
$ActionForwardDefaultTemplate MyTemplate
MadHatter
  • 78,442
  • 20
  • 178
  • 229
Emilio Macias
  • 109
  • 1
  • 3
4

It could be a bug. FQDN support is or was known to be wonky, though none of the registered FQDN bugs seem to apply.

As a workaround, if you don't do any relaying, use %FROMHOST% instead of %HOSTNAME%.

  • 2
    Using `%FROMHOST%` does give me an FQDN, but it seems to be the result of a reverse lookup on the client node's IP address. Since my systems are running on AWS EC2, this will, unfortunately, always yield an FQDN which has no immediate meaning to me. – cwjohnston May 27 '11 at 19:40
1

I can only speak to 7.6.x, but $PreserveFQDN was all that was needed for it to work. You can avoid having to mess with /etc/hosts if your node's FQDN is setup correctly.

Example for CentOS/RHEL systems:

$ -> vi /etc/sysconfig/network

# Change this
HOSTNAME=service-a-1

# To this
HOSTNAME=service-a-1.sn1.vpc3.example.com

Be sure to reboot.

Mike Purcell
  • 1,688
  • 7
  • 30
  • 53
1

You can use this in client side rsyslog config.

$LocalHostName {{HOSTNAME}}

and replace {{HOSTNAME}} with the desired hostname or you can detemplatize it on each of the client using mustache automatically.

Rahul Shaw
  • 111
  • 2