michael at maymann
Feb 27, 2012, 11:57 AM
Post #15 of 15
(519 views)
Permalink
|
Hi,
Rainer: send you the new debug log outside list.
Please let me know if I can do anything more to solve this.
Thanks in advance :-) !
~maymann
2012/2/14 Rainer Gerhards <rgerhards [at] hq>
> > -----Original Message-----
> > From: Michael Maymann [mailto:michael [at] maymann]
> > Sent: Tuesday, February 14, 2012 10:10 AM
> > To: Rainer Gerhards
> > Cc: rsyslog-users
> > Subject: Re: rsyslog tarball
> >
> > Hi,
> >
> > David: thanks.
> > Rainer: I will try to install a new rsyslog server with the latest
> > package you send me. Point my troublesome host to that server and send
> > you the debug log from there...
>
> Thx, that would be great. We have a great opportunity here to finally iron
> out the cache code :)
>
> Rainer
> >
> > Br.
> > ~maymann
> >
> >
> > 2012/2/14 Rainer Gerhards <rgerhards [at] hq>
> >
> >
> > > I am not behind NAT..., and some hosts (also RHEL5) from same
> > VLAN is
> > > logging their hostname just fine...
> > > If this is taken from the IP-header, all syslog-messages
> > (weither it be
> > > legacy or rsyslog) will report its actual IP in a non-NAT'ed
> > > environment. So this situation wouldn't be possible neither if
> > it is
> > > legacy syslog or rsyslog - am I right ?
> > >
> > > Rainer: Are you able to see, from the last debug output I send
> > you,
> > > what is happening (think I also send you the hostname/ip of
> > "the
> > > problem host" directly) ?
> >
> >
> > I think I didn't get a debug log that shows this problem. At
> > least I have
> > none in my mail archive.
> >
> > In any case, in order to track this down quickly, I need a debug
> > log where
> > the vast majority of traffic is from a system that doesn't appear
> > to be
> > right. So that I can see which receive is from that system and
> > how it is
> > processed. It is much harder to try to analyze this is there are
> > several
> > hosts and I don't know what to look at. Note that I am off to the
> > Fedora
> > Developer Conference tomorrow and busy there for the rest of the
> > week.
> >
> > Rainer
> >
> > >
> > >
> > > Br.
> > > ~maymann
> > >
> > >
> > > 2012/2/13 Rainer Gerhards <rgerhards [at] hq>
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Michael Maymann [mailto:michael [at] maymann]
> > >
> > > > Sent: Monday, February 13, 2012 1:25 PM
> > > > To: Rainer Gerhards
> > > > Cc: rsyslog-users
> > > > Subject: Re: rsyslog tarball
> > > >
> > >
> > > > Hi,
> > > >
> > > > Rainer: thanks - the fix you send me seems to work...:-
> > ) at-
> > > least on
> > > > hosts sending its IP... - unfortunately not all legacy
> > syslog
> > > clients
> > > > do..:-( !
> > > >
> > > > I tried to restart syslog again on the host that caused
> > "???"
> > > before,
> > > > but I am still unable to find either IP or hostname in
> > the
> > > log...
> > > >
> > > >
> > > > is FROMHOST based on:
> > > > 1. dns-lookup of the IP inside the transmitted IP-
> > packet ?
> > > >
> > > > or
> > > > 2. dns-lookup of what it states as its IP/hostname
> > inside
> > > syslog-
> > > > message ?
> > > >
> > >
> > >
> > > Neither. It's just the remote peer (taken from the IP
> > header).
> > > It's not taken
> > > from a syslog header field. If you use DNS reverse
> > resolution,
> > > it's the name,
> > > else the IP address.
> > >
> > >
> > > >
> > > > I would prefer 1., as this would always be right -
> > expect if
> > > your in a
> > > > NAT'ed environment...
> > > > Preferably NAT could be auto-detected (could it be: if
> > traffic
> > > is
> > > > coming from syslog-server LAN or syslog-server default-
> > GW then
> > > the
> > > > client is not NAT'ed ?) or alternatively
> > > IPPacketIP/IPPacketFromHost
> > > > (nslookup of IPPacketIP) variables could be added and
> > used if
> > > it fits
> > > > ones environment... ?
> > >
> > >
> > > The best route is to make sure all syslogd'd emit proper
> > RFC3164
> > > or RFC5424
> > > format and simply use HOSTNAME. (you may also look at [1]
> > for NAT
> > > and
> > > non-rsyslog).
> > >
> > > Rainer
> > > [1] http://www.rsyslog.com/article19/
> > >
> > > >
> > > >
> > > > Br.
> > > > ~maymann
> > > >
> > > >
> > > > 2012/2/7 Rainer Gerhards <rgerhards [at] hq>
> > > >
> > > >
> > > > That's a regular log file [in RSYSLOG_DebugForm],
> > showing
> > > the log
> > > > messages as
> > > > you received them. That's not a debug log that
> > shows
> > > rsyslog
> > > > processing. To
> > > > create the later, do the same procedure that you
> > used to
> > > create
> > > > the content
> > > > of your mail I received at 8:43am today. *That*
> > was a
> > > debug log.
> > > > Look at the
> > > > content of both of your mails and you will
> > immediately
> > > notice the
> > > > difference.
> > > >
> > > > Please also keep the mailing list CCed...
> > > >
> > > >
> > > > Rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: Michael Maymann
> > [mailto:michael [at] maymann]
> > > >
> > > > > Sent: Tuesday, February 07, 2012 10:28 AM
> > > > > To: Rainer Gerhards
> > > > > Subject: Re: rsyslog tarball
> > > > >
> > > > > it states "Debug line with all properties:" all
> > over
> > > the
> > > > logfile...
> > > > > Please tell me how to run this thing...?
> > > > >
> > > > > ~maymann
> > > > >
> > > > >
> > > > >
> > > > > 2012/2/7 Rainer Gerhards
> > <rgerhards [at] hq>
> > > > >
> > > > >
> > > > > I guess you mistook files: this was not a
> > debug
> > > log but a
> > > > logfile
> > > > > ;)
> > > > >
> > > > > rainer
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Michael Maymann
> > > [mailto:michael [at] maymann]
> > > > >
> > > > > > Sent: Tuesday, February 07, 2012 10:22
> > AM
> > > > > > To: Rainer Gerhards
> > > > > > Cc: david [at] lang; rsyslog-users
> > > > > > Subject: Re: rsyslog tarball
> > > > > >
> > > > > > Just made a shorter run with same info
> > > inside...
> > > > attached...
> > > > > >
> > > > > > ~maymann
> > > > > >
> > > > > >
> > > > > > 2012/2/7 Rainer Gerhards
> > > <rgerhards [at] hq>
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Michael Maymann
> > > > [mailto:michael [at] maymann]
> > > > > >
> > > > > > > Sent: Tuesday, February 07,
> > 2012 9:46
> > > AM
> > > > > > > To: Rainer Gerhards
> > > > > > > Cc: david [at] lang; rsyslog-
> > users
> > > > > > > Subject: Re: rsyslog tarball
> > > > > > >
> > > > > > > Hi Rainer,
> > > > > > >
> > > > > > > it is 30Mb - please provide
> > ftp-
> > > upload...
> > > > > >
> > > > > > Zipped or plain? If not zipped,
> > you can
> > > probably
> > > > compress
> > > > > it by
> > > > > > 90+%. Anyhow,
> > > > > > the FTP server is
> > > > > >
> > > > > >
> > ftp://custservice.adiscon.com/incoming
> > > > > >
> > > > > > user anonymous, password whatever
> > you
> > > like
> > > > > > Note that you can only upload,
> > NOT read.
> > > Most
> > > > > importantly, you
> > > > > > won't be able
> > > > > > to see the file when the upload
> > is done.
> > > > > >
> > > > > > If you can compress and mail the
> > file, I
> > > can
> > > > possibly
> > > > > faster
> > > > > > access it, just
> > > > > > if that's an option.
> > > > > >
> > > > > > Thanks!
> > > > > > Rainer
> > > > > >
> > > > > >
> > > > > > >
> > > > > > > br.
> > > > > > > ~maymann
> > > > > > >
> > > > > > >
> > > > > > > 2012/2/7 Rainer Gerhards
> > > > <rgerhards [at] hq>
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message--
> > ---
> > > > > > > > From: Michael Maymann
> > > > > [mailto:michael [at] maymann]
> > > > > > > > Sent: Tuesday, February
> > 07,
> > > 2012 8:43
> > > > AM
> > > > > > > > To: Rainer Gerhards;
> > > david [at] lang
> > > > > > > > Subject: Re: rsyslog
> > tarball
> > > > > > > >
> > > > > > > > [root [at] oulog00 log]#
> > > /usr/sbin/rsyslogd
> > > > -c 6 -d
> > > > > > > >
> > > > > > > >
> > 9788.497831529:7f639a331700:
> > > rsyslogd
> > > > 6.3.7-
> > > > > postexp1
> > > > > > startup,
> > > > > > > > compatibility mode 6,
> > module
> > > path '',
> > > > > cwd:/var/log
> > > > > > > >
> > 9788.497969104:7f639a331700:
> > > caller
> > > > requested
> > > > > object
> > > > > > 'net', not
> > > > > > > found
> > > > > > >
> > > > > > > [snip]
> > > > > > >
> > > > > > > Sorry, this debug info
> > does not
> > > contain
> > > > any of
> > > > > the
> > > > > > > instrumentation I need (no
> > > > > > > case occurred) I guess
> > you have
> > > cut that
> > > > off.
> > > > > Please send
> > > > > > me a
> > > > > > > complete file,
> > > > > > > best as an attachment
> > (working
> > > with saved
> > > > mail
> > > > > messages
> > > > > > is far
> > > > > > > less nice :)).
> > > > > > >
> > > > > > > If the debug log is too
> > large to
> > > mail,
> > > > please let
> > > > > me
> > > > > > know. I can
> > > > > > > provide an
> > > > > > > anonymous upload-only ftp
> > server
> > > in that
> > > > case.
> > > > > > >
> > > > > > > Thanks!
> > > > > > > Rainer
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
|
messages-debug
