我正在尝试在Ubuntu 10.04 LTS上使用stock rsyslogd(4.2.0-2ubuntu8.1)实现一个简单的集中式系统日志服务器.此时,我的所有客户端节点都将日志发送到中央服务器,但客户端正在发送包含其短主机名而不是其FQDN的日志消息.
根据Ubuntu rsyslogd手册页:
If the remote host is located in the same domain as the host,rsyslogd is running on,only the simple hostname will be logged instead of the whole fqdn.
这对我来说是有问题的,因为我在环境之间重复使用短名称,例如core1.example.com和core1.stg.example.com都将其消息记录为core1.
客户端和服务器都具有相同的/ etc / default / rsyslog:
RSYSLOGD_OPTIONS="-c4"
和/etc/rsyslogd.conf文件一样:
$ModLoad imuxsock $ModLoad imklog $PreserveFQDN on $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $FileOwner root $FileGroup adm $FileCreateMode 0640 $IncludeConfig /etc/rsyslog.d/*.conf
客户端有这个/etc/rsyslog.d/remote.conf文件,告诉他们发送到远程服务器:
*.* @@syslog.example.com
并且服务器使用此/etc/rsyslog.d/server.conf文件:
$ModLoad imtcp $InputTCPServerRun 514 $DirGroup root $DirCreateMode 0755 $FileGroup root $template PerHostAuth,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/auth.log" $template PerHostCron,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/cron.log" $template PerHostSyslog,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/syslog" $template PerHostDaemon,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/daemon.log" $template PerHostKern,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/kern.log" $template PerHostLpr,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/lpr.log" $template PerHostUser,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/user.log" $template PerHostMail,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.log" $template PerHostMailInfo,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.info" $template PerHostMailWarn,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.warn" $template PerHostMailErr,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/mail.err" $template PerHostNewsCrit,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/news.crit" $template PerHostNewsErr,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/news.err" $template PerHostNewsNotice,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/news.notice" $template PerHostDebug,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/debug" $template PerHostMessages,"/srv/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/messages" auth,authpriv.* ?PerHostAuth *.*;auth,authpriv.none -?PerHostSyslog cron.* ?PerHostCron daemon.* -?PerHostDaemon kern.* -?PerHostKern lpr.* -?PerHostLpr mail.* -?PerHostMail user.* -?PerHostUser mail.info -?PerHostMailInfo mail.warn ?PerHostMailWarn mail.err ?PerHostMailErr news.crit ?PerHostNewsCrit news.err ?PerHostNewsErr news.notice -?PerHostNewsNotice *.=debug;\ auth,authpriv.none;\ news.none;mail.none -?PerHostDebug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -?PerHostMessages
由于客户端和服务器共享一个指定“$PreserveFQDN on”的配置,我希望在syslog消息中看到FQDN主机名,但该设置似乎没有任何效果.我发现的rsyslog的大多数其他设置都旨在从FQDN中剥离域而不是保留它们.我认为问题的根源是我的客户端首先不发送FQDN,但我不知道如何强制这种行为.
任何人都可以评论我可能会失踪的东西吗?我想我不是唯一需要将FQDN包含在日志消息中的人.