Bug 250628 - Forwarded messages have duplicate hostname
Forwarded messages have duplicate hostname
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: rsyslog (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Peter Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-02 11:33 EDT by Orion Poplawski
Modified: 2007-11-30 17:12 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-03 11:22:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
rsyslog.conf (747 bytes, text/plain)
2007-08-15 11:43 EDT, Orion Poplawski
no flags Details

  None (edit)
Description Orion Poplawski 2007-08-02 11:33:41 EDT
Description of problem:

I forward authpriv messages to a EL-5 server.  Starting with 1.17.5-1.fc8 I see
duplicate hostnames:

Aug  1 12:07:22 lynx lynx sshd[13478]: pam_unix(sshd:session): session closed
for user root

worked with 1.17.2-4.fc8:

Jul 30 11:58:46 lynx sshd[2288]: Received signal 15; terminating.
Comment 1 Daniel Kopeček 2007-08-03 04:45:52 EDT
(In reply to comment #0)
> Description of problem:
> 
> I forward authpriv messages to a EL-5 server.  Starting with 1.17.5-1.fc8 I see
> duplicate hostnames:
> 
> Aug  1 12:07:22 lynx lynx sshd[13478]: pam_unix(sshd:session): session closed
> for user root
> 
> worked with 1.17.2-4.fc8:
> 
> Jul 30 11:58:46 lynx sshd[2288]: Received signal 15; terminating.

Can you attach your config file, please? We tried reproduce this bug, but
without success.
Comment 2 Orion Poplawski 2007-08-15 11:43:41 EDT
Created attachment 161374 [details]
rsyslog.conf

Here you go.  This was as a result of an upgrade from F7.
Comment 3 Orion Poplawski 2007-09-05 11:15:01 EDT
I see this on the wire:

09:10:05.635149 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP
(17), length: 129) cynosure.cora.nwra.com.syslog > earth.cora.nwra.com.syslog:
[udp sum ok] SYSLOG, length: 101
        Facility authpriv (10), Severity info (6)
        Msg: Sep  5 09:10:05 cynosure su: pam_unix(su-l:session): session opened
for user root by orion(uid=0)

So it is forwarding the full message including timestamp and hostname. The old
ksyslogd logger does not send the timestamp and hostname:

09:11:22.301342 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP
(17), length: 99) marie.cora.nwra.com.syslog > earth.cora.nwra.com.syslog: [udp
sum ok] SYSLOG, length: 71
        Facility authpriv (10), Severity info (6)
        Msg: sshd[23637]: pam_unix(sshd:session): session closed for user orion\012

Also filed upstream:

https://sourceforge.net/tracker/index.php?func=detail&aid=1784423&group_id=123448&atid=696552
Comment 4 Rainer Gerhards 2007-09-06 11:09:23 EDT
I have solved this in the upstream. The root cause was actually a
misunderstanding. For solution, see here:

https://sourceforge.net/tracker/index.php?func=detail&aid=1784423&group_id=123448&atid=696552
Comment 5 Orion Poplawski 2007-09-06 11:19:39 EDT
Not sure how you want to handle this.  Definitely should have a release note in
any case.  I've fixed by changing by forwarding rule to:

$template sysklogd,"<%PRI%>%TIMESTAMP% %syslogtag%%msg%"
authpriv.*                              @loghost;sysklogd

Note sure how upgrades from sysklogd -> rsyslog are handled and if you want to
try to do the above changes automatically.
Comment 6 Rainer Gerhards 2007-09-07 03:44:57 EDT
I see the challenge you face. ... and rsyslog should be a drop-in replacement,
so that should not be too hard to do. How about that: I create a new config file
directive $DefaultFwdTemplate which allows to override the default forwarding
template to use when none is provided. Then, fur upgrade purposese, the config
file could start with:

$template sysklogd,"<%PRI%>%TIMESTAMP% %syslogtag%%msg%"
$DefaultFwdTemplate sysklogd

Adding that to the top of the file should be easy during upgrade. I do not want
to change the default in rsyslog itself, as that costs functionality and breaks
existing installations.

There is a drawback, however: with that option, rsyslog will no longer be able
to obtain the correct hostname in relay chains and NATed environments (just like
sysklogd does not). But I think that is acceptable. A release note would make
much sense to describe that problem. Once people have fully migrated to rsyslog,
they can simply remove these two lines and enjoy the full benefit.

How does this sound? Please provide feedback, I will only implement if this is
considered a valuable extension.
Comment 7 Peter Vrabec 2007-10-03 11:22:44 EDT
I'm not fixing this bug, because there is no way to fix it. The simple 
workaround exists, comment #5.

Note You need to log in before you can comment on or make changes to this bug.