rsyslog sometimes logs fqdn, sometimes just host name

whysyn · 06-02-2008, 09:10 AM

Hi all,

I have a syslog server that receives logs from several hosts using the standard 514/udp syslog protocol. Most of these systems are internal, so I have added an entry for each in the /etc/hosts file so the names get loged instead of IP addresses.

I'm having a problem where one host logs the FQDN and another host only logs the hostname portion.

/etc/hosts excerpt:

Code:

192.168.1.230   voipfw01.mydom.net
192.168.1.8     main-fw.my-dom.com

Both hosts sent to local4, which I have excluded from all other logs and only writes to /var/log/firewall. In the log, I have:

Code:

Jun  2 10:07:13 main-fw <message>
Jun  2 10:07:14 voipfw.mydom.net <message>

Both FQDN are the same length, so I don't think it's a truncation problem. The only difference that is apparent to me is the hyphens in the second entry.

I need the FQDN to be logged, please help.

chrism01 · 06-02-2008, 09:07 PM

I'm guessing that local 4 is in my-dom.com domain, so it 'knows' main-fw.my-dom.com, whereas the other one is in a different TLD.
Alternately/as well, are you running a DNS server?

whysyn · 06-03-2008, 08:53 AM

We do run DNS, but they are public servers with hundreds of domains. We don't put non-routable addresses in them. I'm happy using the hosts file for this, it's one syslog server plus a hot standby so not a big issue.

I see what you're saying, and yes, the hosts logging only their simple name are in the same TLD as the syslog server. I changed the TLD on the syslog server and everything is once again logging with FQDN.

My old syslog daemon didn't work this way... it just always used the FQDN.

Thanks for the info.

rgerhards · 06-03-2008, 10:31 AM

rsyslog inherited that behavior from sysklogd. Nobody ever questioned it. But it looks like it would be useful to be able to disable it. What do you think?

Rainer