我正在尝试在Ubuntu 10.04 LTS上使用stock rsyslogd(4.2.0-2ubuntu8.1)实现一个简单的集中式系统日志服务器.此时,我的所有客户端节点都将日志发送到中央服务器,但客户端正在发送包含其短主机名而不是其FQDN的日志消息.
根据Ubuntu rsyslogd手册页:
If the remote host is located in the same domain as the host,rsyslogd is running on,only the simple hostname will be logged instead of the whole fqdn.
这对我来说是有问题的,因为我在环境之间重复使用短名称,例如core1.example.com和core1.stg.example.com都将其消息记录为core1.
客户端和服务器都具有相同的/ etc / default / rsyslog:
- RSYSLOGD_OPTIONS="-c4"
和/etc/rsyslogd.conf文件一样:
- $ModLoad imuxsock
- $ModLoad imklog
- $PreserveFQDN on
- $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
- $FileOwner root
- $FileGroup adm
- $FileCreateMode 0640
- $IncludeConfig /etc/rsyslog.d/*.conf
客户端有这个/etc/rsyslog.d/remote.conf文件,告诉他们发送到远程服务器:
- *.* @@syslog.example.com
并且服务器使用此/etc/rsyslog.d/server.conf文件:
- $ModLoad imtcp
- $InputTCPServerRun 514
- $DirGroup root
- $DirCreateMode 0755
- $FileGroup root
- $template PerHostAuth,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/auth.log"
- $template PerHostCron,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/cron.log"
- $template PerHostSyslog,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/syslog"
- $template PerHostDaemon,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/daemon.log"
- $template PerHostKern,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/kern.log"
- $template PerHostLpr,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/lpr.log"
- $template PerHostUser,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/user.log"
- $template PerHostMail,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.log"
- $template PerHostMailInfo,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.info"
- $template PerHostMailWarn,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.warn"
- $template PerHostMailErr,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.err"
- $template PerHostNewsCrit,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/news.crit"
- $template PerHostNewsErr,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/news.err"
- $template PerHostNewsNotice,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/news.notice"
- $template PerHostDebug,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/debug"
- $template PerHostMessages,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/messages"
- auth,authpriv.* ?PerHostAuth
- *.*;auth,authpriv.none -?PerHostSyslog
- cron.* ?PerHostCron
- daemon.* -?PerHostDaemon
- kern.* -?PerHostKern
- lpr.* -?PerHostLpr
- mail.* -?PerHostMail
- user.* -?PerHostUser
- mail.info -?PerHostMailInfo
- mail.warn ?PerHostMailWarn
- mail.err ?PerHostMailErr
- news.crit ?PerHostNewsCrit
- news.err ?PerHostNewsErr
- news.notice -?PerHostNewsNotice
- *.=debug;\
- auth,authpriv.none;\
- news.none;mail.none -?PerHostDebug
- *.=info;*.=notice;*.=warn;\
- auth,authpriv.none;\
- cron,daemon.none;\
- mail,news.none -?PerHostMessages
由于客户端和服务器共享一个指定“$PreserveFQDN on”的配置,我希望在syslog消息中看到FQDN主机名,但该设置似乎没有任何效果.我发现的rsyslog的大多数其他设置都旨在从FQDN中剥离域而不是保留它们.我认为问题的根源是我的客户端首先不发送FQDN,但我不知道如何强制这种行为.
任何人都可以评论我可能会失踪的东西吗?我想我不是唯一需要将FQDN包含在日志消息中的人.
