Hello,

I have some devices that send syslog messages to an rsyslog server.
The syslog datagram is composed of a few headers, including syslog type, severity, mnemonic in addition to the syslog message.

The syslog message contains the senders ip address (not hostname), and there is no way to reconfigure the device to send hostname instead of ip address.

Example of syslog message content :
Nov 24 12:53:24 10.10.10.10 00076 ports: port 3 is now on-line

I would like rsyslog to parse out the IP, do a dns lookup and replace with the dns name before the log is written to file.

Desired output :
Nov 24 12:53:24 <hostname_from_dnslookup> 00076 ports: port 3 is now on-line

Has anyone done such a thing before, any tips/hints that can help me resolve this?

rsyslog is a must, as it is used for all our logging, so is the desire to resolve before it is written to file as it is being ingested by another tool that needs hostnames rather than ip.

Your help is much appreciated,

Thanks,
Simon.

Simon:

http://serverfault.com/questions/274...short-hostname
offers tips, eg: $LocalHostName yourhostname, modification of /etc/hosts...

Seems apparent that (r)syslog uses gethostbyname (hostname) and that comes from of the sending box.
What is the hostname of the sending boxes?
Are they named by name or IP?

You may wish to search rsyslog documentation for 'Property Replacer' to replace directly on syslog receiver.
It will surely require a template if the $LocalHostName yourhostname doesn't do it directly, or if the hostname can't be changed.

References:
http://www.gossamer-threads.com/list...log/users/3487