Centos – RSyslog sends logs to logstash with host as IP not FQDN

apache-2.2centoslogstashrsyslog

I am having a issue. I am trying to send apache/nginx logs to logstash server. The problem is that rsyslog sends host as IP not the servers FQDN.

Solutions that I have tried:

  1. PreserveFQDN on (did not help)
  2. Add FQDN to hosts file and enable PreserverFQDN again (did not help)
  3. Added %FROMHOST% to template, but that only added short FQDN in front of the message

My config:

#rsyslog v3 config file
# Managed by Puppet

#### MODULES ####

$ModLoad imuxsock.so  # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so  # provides kernel logging support (previously done by rklogd)
$ModLoad imfile.so # provides support for logging from files
$ModLoad immark.so # enable mark messages

#### GLOBAL DIRECTIVES ####

$PreserveFQDN on 
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$WorkDirectory /var/spool/rsyslog
$SystemLogRateLimitInterval 5
$SystemLogRateLimitBurst 10000

$MainMsgQueueType LinkedList
$MainMsgQueueFileName mainmsg_queue
$MainMsgQueueMaxDiskSpace 1g
$MainMsgQueueSaveOnShutdown on

$ActionQueueType LinkedList
$ActionQueueFileName action_queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on

$ActionResumeRetryCount -1

$MarkMessagePeriod 1200

#### TEMPLATES ####

$template MsgFormat, "%msg%\n"
$template ApacheAccess, "/var/log/httpd/%programname%.log"
$template ApacheError, "/var/log/httpd/%programname%.log"
$template NginxAccess, "/var/log/nginx/%msg:F,32:2%_access.log"
$template NginxError, "/var/log/nginx/error.log"
$template test, "%FROMHOST% %msg%"

#### RULES ####

local5.* @logserver:514

# Apache logging
local5.info ~
local5.err ~

# Nginx logging
local4.info ~
local4.err ~

Where could the problem be that it send the message like this:

{:event=>{"message"=>"[Wed Sep 10 15:30:03 2014] [notice] Digest: generating secret for digest authentication ...", "@version"=>"1", "@timestamp"=>"2014-09-16T07:46:12.000Z", "type"=>"syslog", "host"=>"SERVERIP(needs to be full FQDN)", "priority"=>171, "timestamp"=>"Sep 16 10:46:12", "logsource"=>"SERVERSHORTFQDN", "program"=>"apache", "severity"=>3, "facility"=>21, "facility_label"=>"local5", "severity_label"=>"Error"}, :level=>:debug, :file=>"(eval)", :line=>"18"}

Rsyslog version:

rsyslogd 5.8.10, compiled with:
    FEATURE_REGEXP:             Yes
    FEATURE_LARGEFILE:          No
    GSSAPI Kerberos 5 support:      Yes
    FEATURE_DEBUG (debug build, slow code): No
    32bit Atomic operations supported:  Yes
    64bit Atomic operations supported:  Yes
    Runtime Instrumentation (slow code):    No

See http://www.rsyslog.com for more information.

Best Answer

Historically I've seen this handled from a RDNS side - the server pipes its message to the remote server (in your case, logstash) which then performs the reverse lookup on the hostname to tag its message with the name. Of course, this requires you to be able to control the reverse DNS of your servers.

http://logstash.net/docs/1.4.2/filters/dns

Related Topic