RSyslog 使用主机 IP 而非 FQDN 将日志发送到 logstash

2024-5-29 • tag-icon

我遇到了一个问题。我试图将 apache/nginx 日志发送到 logstash 服务器。问题是 rsyslog 将主机发送为 IP，而不是服务器 FQDN。

我尝试过的解决方案：

PreserveFQDN on（没有帮助）
将 FQDN 添加到 hosts 文件并启用PreserverFQDN再次（没有帮助）
添加%FROMHOST%到模板，但只在消息前面添加了短 FQDN

我的配置：

#rsyslog v3 config file
# Managed by Puppet

#### MODULES ####

$ModLoad imuxsock.so  # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so  # provides kernel logging support (previously done by rklogd)
$ModLoad imfile.so # provides support for logging from files
$ModLoad immark.so # enable mark messages

#### GLOBAL DIRECTIVES ####

$PreserveFQDN on 
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$WorkDirectory /var/spool/rsyslog
$SystemLogRateLimitInterval 5
$SystemLogRateLimitBurst 10000

$MainMsgQueueType LinkedList
$MainMsgQueueFileName mainmsg_queue
$MainMsgQueueMaxDiskSpace 1g
$MainMsgQueueSaveOnShutdown on

$ActionQueueType LinkedList
$ActionQueueFileName action_queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on

$ActionResumeRetryCount -1

$MarkMessagePeriod 1200

#### TEMPLATES ####

$template MsgFormat, "%msg%\n"
$template ApacheAccess, "/var/log/httpd/%programname%.log"
$template ApacheError, "/var/log/httpd/%programname%.log"
$template NginxAccess, "/var/log/nginx/%msg:F,32:2%_access.log"
$template NginxError, "/var/log/nginx/error.log"
$template test, "%FROMHOST% %msg%"

#### RULES ####

local5.* @logserver:514

# Apache logging
local5.info ~
local5.err ~

# Nginx logging
local4.info ~
local4.err ~

问题可能出在哪里，它发送这样的消息：

{:event=>{"message"=>"[Wed Sep 10 15:30:03 2014] [notice] Digest: generating secret for digest authentication ...", "@version"=>"1", "@timestamp"=>"2014-09-16T07:46:12.000Z", "type"=>"syslog", "host"=>"SERVERIP(needs to be full FQDN)", "priority"=>171, "timestamp"=>"Sep 16 10:46:12", "logsource"=>"SERVERSHORTFQDN", "program"=>"apache", "severity"=>3, "facility"=>21, "facility_label"=>"local5", "severity_label"=>"Error"}, :level=>:debug, :file=>"(eval)", :line=>"18"}

Rsyslog 版本：

rsyslogd 5.8.10, compiled with:
    FEATURE_REGEXP:             Yes
    FEATURE_LARGEFILE:          No
    GSSAPI Kerberos 5 support:      Yes
    FEATURE_DEBUG (debug build, slow code): No
    32bit Atomic operations supported:  Yes
    64bit Atomic operations supported:  Yes
    Runtime Instrumentation (slow code):    No

See http://www.rsyslog.com for more information.

答案1

从历史上看，我曾见过从 RDNS 端处理此问题 - 服务器将其消息传送到远程服务器（在您的例子中是 logstash），然后远程服务器对主机名执行反向查找，以使用名称标记其消息。当然，这要求您能够控制服务器的反向 DNS。

http://logstash.net/docs/1.4.2/filters/dns

答案1

相关内容