0

For some reasons, we redirect syslog events from RHEL 6 (with rsyslog) to RHEL 5 (with syslogd).

On RHEL 6 in rsyslog.conf:

*.*                 @10.30.46.211

On RHEL 5 in /etc/sysconfig/syslog:

SYSLOGD_OPTIONS="-r -m 0"

On RHEL 6, the event looks like (/var/log/secure):

Oct 25 02:10:03 rh6q32 sshd[1849]: pam_unix(sshd:session): session closed for user root

On RHEL 5, the same event looks like (/var/log/secure):

Oct 25 02:10:03 rh6q32 rh6q32 sshd[1849]: pam_unix(sshd:session): session closed for user root

The difference is double using of host name (rh6q32).

The question: is it possible to get rid of double hostname?

Thanks, Yuri

user54614
  • 379
  • 2
  • 6
  • 18
  • dont you mean from rhel6 to rhel5 ? or your output is swapped. i cant see why you'd have the hostname twice to begin with, then once after redirection. – Sirex Oct 26 '11 at 12:24
  • Yes, from rhel 6 to rhel 5, thanks. What could be the reason for this behaviour? – user54614 Oct 26 '11 at 15:34

2 Answers2

1

the difference is that apparently 6 is using rsyslog insteal of the old syslog. You can customize rsyslog with templates:

$template sysklogd,"<%PRI%>%TIMESTAMP% %syslogtag%%msg%"
*.*     @192.168.1.1;sysklogd

from kkoncepts.net

Jure1873
  • 3,702
  • 1
  • 22
  • 28
0

RHEL5 syslog doesn't send a 'correct' header according to RFC3164 (yay standards). There's supposed to be a hostname in the syslog packet. rhel5.x syslogd adds the source host to incoming syslog traffic.

As someone else said, rsyslog was added in RHEL 6.x, which is RFC3164 compliant. Hey presto your syslogd ends up adding a host field that's already there.

Rasputnik
  • 196
  • 4