#677 closed defect (worksforme)
FQDN treated as syslog tag by rsyslog
| Reported by: | Ke Zhang | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.7.x |
| Keywords: | syslog log | Cc: | |
| uname -a: | Linux ***.***.*** 3.2.0-72-virtual #107-Ubuntu SMP Thu Nov 6 14:41:52 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.7.8
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) TLS SNI support enabled configure arguments: --prefix=/opt/nginx --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-cc-opt=-Wno-error --add-module=/opt/rubies/ruby-2.1.2/lib/ruby/gems/2.1.0/gems/passenger-4.0.53/ext/nginx --sbin-path=/usr/local/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log |
||
Description
not sure if this is a nginx issue or rsyslog issue. For messages sent to syslog through unix socket, the FQDN is treated as syslog tag or programname instead of the tag set in the nginx conf file. e.g., for this config:
access_log syslog:server=unix:/dev/log,tag=nginxtag
rsyslog treats FQDN as programname, while 'nginxtag' as part of the message.
Change History (6)
comment:1 by , 10 years ago
comment:2 by , 10 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
nginx uses message format described in RFC 3164 which includes hostname.
Please see rsyslog manual to configure correct parsing template.
Also see http://www.rsyslog.com/doc/syslog_parsing.html
comment:3 by , 10 years ago
I recently am facing this issue when trying to use the syslog functionality in nginx. The problem here is that gethostname() actually returns the FQDN instead of the hostname. This is at least common on RHEL and Centos systems. Rsyslog does not like this. This is a sample output I got from strace:
sendto(33, "<174>Apr 1 10:34:01 web001.dom.com nginx: 10.0.82.41 - - [01/Apr/2015:10:34:01 -0700] \"GET /healthcheck HTTP/1.1\" 200 2903 \"-\" \"-\"", 156, 0, NULL, 0) = 156
comment:4 by , 10 years ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
comment:5 by , 10 years ago
| Resolution: | → worksforme |
|---|---|
| Status: | reopened → closed |
Speaking practically, I just tried rsyslog-8.7.0 and I see no complains
regarding FQDN in log messages, everything is logged ok.
Note that the usual practice is to not trust to hostnames provided in the
message and replace them with actual data determined by means of syslog
daemon (i.e. %fromhost% speaking of rsyslog), so there is no much use in hostname
field set by nginx anyway.
Formally speaking, RFC3164 says that domain part should not be included and since
gethostname() may return FQDN, there is an issue in current implementation, although
I don't think this needs to be fixed because (1) see above, (2) newer syslog RFC 5424
allows domain name to present.
Please do not reopen this ticket, as your problem is unrelated to the original problem.
This is also reported to rsyslog by sindarina here:
http://kb.monitorware.com/nginx-logging-rsyslog-t12359.html