Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#677 closed defect (worksforme)

FQDN treated as syslog tag by rsyslog

Reported by: www.google.com/accounts/o8/id?id=AItOawmj12vpDwZMQmrhg1PArPTD3kel8Qdg7QA Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.7.x
Keywords: syslog log Cc:
uname -a: Linux ***.***.*** 3.2.0-72-virtual #107-Ubuntu SMP Thu Nov 6 14:41:52 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.7.8 built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) TLS SNI support enabled configure arguments: --prefix=/opt/nginx --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-cc-opt=-Wno-error --add-module=/opt/rubies/ruby-2.1.2/lib/ruby/gems/2.1.0/gems/passenger-4.0.53/ext/nginx --sbin-path=/usr/local/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log

Description

not sure if this is a nginx issue or rsyslog issue. For messages sent to syslog through unix socket, the FQDN is treated as syslog tag or programname instead of the tag set in the nginx conf file. e.g., for this config:

  access_log syslog:server=unix:/dev/log,tag=nginxtag

rsyslog treats FQDN as programname, while 'nginxtag' as part of the message.

Change History (6)

comment:1 Changed 4 years ago by www.google.com/accounts/o8/id?id=AItOawmj12vpDwZMQmrhg1PArPTD3kel8Qdg7QA

This is also reported to rsyslog by sindarina here:

http://kb.monitorware.com/nginx-logging-rsyslog-t12359.html

comment:2 Changed 4 years ago by vl

  • Resolution set to invalid
  • Status changed from new to closed

nginx uses message format described in RFC 3164 which includes hostname.
Please see rsyslog manual to configure correct parsing template.
Also see http://www.rsyslog.com/doc/syslog_parsing.html

comment:3 Changed 4 years ago by www.google.com/accounts/o8/id?id=AItOawmdDpmB9G8lE80lE6AktX0i-1hR-rEV4v4

I recently am facing this issue when trying to use the syslog functionality in nginx. The problem here is that gethostname() actually returns the FQDN instead of the hostname. This is at least common on RHEL and Centos systems. Rsyslog does not like this. This is a sample output I got from strace:

sendto(33, "<174>Apr  1 10:34:01 web001.dom.com nginx: 10.0.82.41 - - [01/Apr/2015:10:34:01 -0700] \"GET /healthcheck HTTP/1.1\" 200 2903 \"-\" \"-\"", 156, 0, NULL, 0) = 156

comment:4 Changed 4 years ago by www.google.com/accounts/o8/id?id=AItOawmdDpmB9G8lE80lE6AktX0i-1hR-rEV4v4

  • Resolution invalid deleted
  • Status changed from closed to reopened

comment:5 Changed 4 years ago by vl

  • Resolution set to worksforme
  • Status changed from reopened to closed

Speaking practically, I just tried rsyslog-8.7.0 and I see no complains
regarding FQDN in log messages, everything is logged ok.

Note that the usual practice is to not trust to hostnames provided in the
message and replace them with actual data determined by means of syslog
daemon (i.e. %fromhost% speaking of rsyslog), so there is no much use in hostname
field set by nginx anyway.

Formally speaking, RFC3164 says that domain part should not be included and since
gethostname() may return FQDN, there is an issue in current implementation, although
I don't think this needs to be fixed because (1) see above, (2) newer syslog RFC 5424
allows domain name to present.

Please do not reopen this ticket, as your problem is unrelated to the original problem.

comment:6 Changed 3 years ago by Vladimir Homutov <vl@…>

In 6286:a6a2016b8e31/nginx:

Syslog: added "nohostname" option.

The option disables sending hostname in the syslog message header. This is
useful with syslog daemons that do not expect it (tickets #677 and #783).

Note: See TracTickets for help on using tickets.