%HOSTNAME% value is "unknown" in rsyslog template

Question

The Gist

Where does rsyslog get the value of %HOSTNAME% and under what conditions would "unknown" be the expected value?

We're using rsyslog on an EC2 instance and we're trying to send our logs out to loggly. If I tail -f the log messages, I can see the log in the default format including date, hostname, tag, and message.

If I use logger "message" then I see a correct log entry both in the console and in loggly. However, if a java console application logs an event, the hostname is "unknown" both in the console and in loggly.

Oddly, the same configuration of rsyslog and log4j results in the correct log entry if it comes from a web application hosted by tomcat.

I know some of that is very Java specific, but my question is this: where does rsyslog get the value of %HOSTNAME% and under what conditions would "unknown" be the expected value?

Answer 1

I figured this out. In order to get the hostname I needed to map the hostname to the ip address in the hosts file. I actually thought this was happening already, but at the time the script runs to append the correct hosts entry, the IP address is unknown and just the hostname gets appended to the file.

I added the correct entry and the hostname appears as expected in rsyslog and loggly.

In the meantime, I had changed the loggly format from %HOSTNAME% to %$myhostname%. This worked fine for us because we weren't remote logging so $myhostname was always the correct hostname.