I'm trying to implement a simple centralized syslog server using stock rsyslogd (4.2.0-2ubuntu8.1) on Ubuntu 10.04 LTS. At this point I have all my client nodes sending logs to the central server, but the clients are sending log messages which contain their short hostname instead of their FQDN.
Per the Ubuntu rsyslogd manpage:
If the remote host is located in the same domain as the host, rsyslogd is running on, only the simple hostname will be logged instead of the whole fqdn.
This is problematic for me, as I am reusing short names between environments, e.g. core1.example.com and core1.stg.example.com both log their messages as core1.
Both client and server have the same /etc/default/rsyslog:
RSYSLOGD_OPTIONS="-c4"
and the same /etc/rsyslogd.conf file:
$ModLoad imuxsock
$ModLoad imklog
$PreserveFQDN on
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$IncludeConfig /etc/rsyslog.d/*.conf
Clients have this /etc/rsyslog.d/remote.conf file, telling them to send to the remote server:
*.* @@syslog.example.com
and the server uses this /etc/rsyslog.d/server.conf file:
$ModLoad imtcp
$InputTCPServerRun 514
$DirGroup root
$DirCreateMode 0755
$FileGroup root
$template PerHostAuth,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/auth.log"
$template PerHostCron,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/cron.log"
$template PerHostSyslog,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/syslog"
$template PerHostDaemon,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/daemon.log"
$template PerHostKern,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/kern.log"
$template PerHostLpr,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/lpr.log"
$template PerHostUser,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/user.log"
$template PerHostMail,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.log"
$template PerHostMailInfo,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.info"
$template PerHostMailWarn,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.warn"
$template PerHostMailErr,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.err"
$template PerHostNewsCrit,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/news.crit"
$template PerHostNewsErr,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/news.err"
$template PerHostNewsNotice,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/news.notice"
$template PerHostDebug,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/debug"
$template PerHostMessages,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/messages"
auth,authpriv.* ?PerHostAuth
*.*;auth,authpriv.none -?PerHostSyslog
cron.* ?PerHostCron
daemon.* -?PerHostDaemon
kern.* -?PerHostKern
lpr.* -?PerHostLpr
mail.* -?PerHostMail
user.* -?PerHostUser
mail.info -?PerHostMailInfo
mail.warn ?PerHostMailWarn
mail.err ?PerHostMailErr
news.crit ?PerHostNewsCrit
news.err ?PerHostNewsErr
news.notice -?PerHostNewsNotice
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -?PerHostDebug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -?PerHostMessages
As both client and server share a configuration which specifies "$PreserveFQDN on", I expect to see FQDN hostnames in syslog messages, but the setting seems to have had no effect. Most other settings I've found for rsyslog are aimed at stripping domains from FQDNs instead of retaining them. I think the root of the problem is that my clients do not send the FQDN in the first place, but I don't see how to force that behavior.
Can anyone comment on what I might be missing? I imagine I'm not the only person who needs FQDNs to be included in log messages.
I ran into this issue as well. Here is how I was able to fix it.
On the clients modify the /etc/hosts file so the desired hostname comes before localhost.
127.0.0.1 hostnameforlogs localhost
On the clients and server modify /etc/rsyslog.conf to include this statement:
$PreserveFQDN on
On the server I used the %HOSTNAME% variable for the templates in rsyslog.conf:
To change the hostname rsyslog sends, add the following directive as the very first line in /etc/rsyslog.conf before any modules are loaded:
Alternatively, to have rsyslog send with the fully-qualified domain name (FQDN, such as system1.example.com) instead of simply the hostname (system1), use the directive:
This is rarely needed. We recommend using the hostname (without the domain name) unless you have identically-named systems.
An alternative way to set it (that allows you to send different logs as different hostnames) is by setting a custom template:
It could be a bug. FQDN support is or was known to be wonky, though none of the registered FQDN bugs seem to apply.
As a workaround, if you don't do any relaying, use
%FROMHOST%
instead of %HOSTNAME%.I can only speak to 7.6.x, but
$PreserveFQDN
was all that was needed for it to work. You can avoid having to mess with/etc/hosts
if your node's FQDN is setup correctly.Example for CentOS/RHEL systems:
Be sure to reboot.
You can use this in client side rsyslog config.
and replace
{{HOSTNAME}}
with the desired hostname or you can detemplatize it on each of the client using mustache automatically.