Another remote syslog question (missing hostname)
-
Hi All,
I have been working on using remote syslog with a system at a remote site. I don't want to deploy a syslog server locally (lan) so was hopping to ship the data over wan to a rsyslog server.
Any way looking at the logs it looks like I am not getting the hostname of the pfsense but rather the IP address. Upon reading some rsyslog documentation and printing raw messages it is not included (that I can tell).
I found this post which I think points the finger at rsyslog.
http://forum.pfsense.org/index.php?topic=14687.0I guess my question is if this really is a problem with rsyslog or pfsense not sending hostnames?
###############################
For those that care I am using a test template to test incomming messages.$template testFormat," %HOSTNAME%-%FROMHOST%-%FROMHOST-IP%-%rawmsg%\n"
and getting output
72.172.219.179-72.172.219.179-72.172.219.179-<38>Apr 22 13:57:24 sshd[42757]: Accepted publickey for user from 118.82.129.111 port 48518 ssh2
and expecting
hostname -hostname-72.172.219.179-<38>Apr 22 13:57:24 sshd[42757]: Accepted publickey for user from 118.82.129.111 port 48518 ssh2
-
I just found a better way to see the incomming messages.
In rsyslog.conf use template RSYSLOG_DebugFormat
. /var/log/debuglog;RSYSLOG_DebugFormatDebug line with all properties:
FROMHOST: '72.172.219.179', fromhost-ip: '72.172.219.179', HOSTNAME: '72.172.219.179', PRI: 38,
syslogtag 'sshd[463]:', programname: 'sshd', APP-NAME: 'sshd', PROCID: '463', MSGID: '-',
TIMESTAMP: 'Apr 22 14:05:14', STRUCTURED-DATA: '-',
msg: ' Exiting on signal 15'
escaped msg: ' Exiting on signal 15'
rawmsg: '<38>Apr 22 14:05:14 sshd[463]: Exiting on signal 15'