[SOLVED] rsyslog: re-write hostname in locally-generated messages?

catkin · 01-19-2014, 04:42 AM

Our hostnames are only unique when the first two parts of the FQDN are used. For example: server.london.example.com and server.mumbai.example.com.

Messages in /var/log/syslog look for example like:

Code:

Jan 19 15:02:04 server postfix/qmgr[5378]: 6BBD62D6059: removed

Can rsyslog be configured to change server in the above message to server.mumbai?

Research suggested the PropertyReplacer could do that. The preamble on http://www.rsyslog.com/doc/property_replacer.html says "A syslog message has a number of well-defined properties (see below). Each of this properties can be accessed and manipulated by the property replacer. With it, it is easy to use only part of a property value or manipulate the value, e.g. by converting all characters to lower case.".

Encouraging; maybe ...

Code:

%fromhost-ip:::127.0.0.1:<something>

... but I could not identify the right <something>. The rsyslog documentation at http://www.rsyslog.com/doc/property_replacer.html, in the section on Property Options, gives Name as a possible option and says it is a "template / property / constant". The "constant" looks promising but what is it? No further documentation or usage examples about "constant" found.

Maybe rsyslog can't assign a value to a property. David Lang (who appears often on the Internet, giving apparently sound advice about rsyslog) says exactly that at http://www.gossamer-threads.com/list...sers/6221#6221.

Hmm ... ?

unSpawn · 01-20-2014, 05:04 PM

Not what you asked for but (until you find your solution) how about setting a per server output template, say:

Code:

$template london,"/var/log/server.london.example.com.log"

and use that as a filter:

Code:

if ($fromhost-ip == "1.2.3.4") \
 then -?london
 & ~

If that's not what you want then the rsyslog users mailing list may be of help?
Would be interesting to know the "right" solution...

catkin · 01-21-2014, 09:39 PM

Thanks unSpawn

Good workaround suggestion but not applicable in our situation -- each server only logs its own messages; the change of hostname is desired for clarity when we paste log messages into issue reports.

I have asked in the rsyslog mailing list and will update this thread with information from there.

catkin · 01-23-2014, 12:31 AM

David Lang replied very promptly on the rsyslog mailing list:

Quote:

You cannot change one of the default properties, with v7 you can create and use your own variables, but in this case, that's not what you are really needing.

Instead of trying to change one of the existing properties, the thing to do is to create a new template instead of using one of the defaults. Then in place of the %hostname% field you can put whatever you want.

Given that pointer -- and after realising that -c4 made our rsyslogd version 6.4 behave in version 4 compatibility mode so list templates were not an option -- it was straightforward.

The solution was to create this /etc/rsyslog.d/FileFormat.template.conf file ...

Code:

$template FileFormat,"%timegenerated% server.london %syslogtag%%msg:::drop-last-lf%\n"
$ActionFileDefaultTemplate FileFormat

... and restart rsyslogd.

In case it matters, this was on Debian 6 squeeze where /etc/rsyslog.conf has:

Code:

$IncludeConfig /etc/rsyslog.d/*.conf

unSpawn · 01-23-2014, 01:56 AM

Well done. Thanks for posting the solution!