# No jail hostname in rsyslog logs



## spiky (Nov 12, 2013)

Hi,

I have a 9.2 host with a 9.2 jail. I want to collect logs from my jail from the rsyslog of the physical host. I've tried to add an additional socket like shown on http://www.rsyslog.com/doc/imuxsock.html:


```
$InputUnixListenSocketHostName jail1.example.net
$AddUnixListenSocket /jail/1/dev/log
```
Things are working but I don't get the jail hostname in my logs:


```
2013-11-12T18:29:24.330573-05:00  sshd[22783]: Accepted keyboard-interactive/pam for spiky from 192.168.1.2 port 18344 ssh2
```
while I get the hostname if the log concerns the physical host. I also get the hostname in logs of other hosts which send logs via port 514 UDP:


```
2013-11-12T18:46:30.430236-05:00 beasty sshd[26771]: Accepted publickey for nrpe from 192.168.1.51 port 64670 ssh2
```

This happens on rsyslog v6. I've tried with v7 and, instead of nothing, the hostname of the physical host appears for log lines concerning the jail!

Help!


----------



## spiky (Nov 13, 2013)

Here's what I have when I use the RSYSLOG_DebugFormat value for $ActionFileDefaultTemplate:


```
FROMHOST: 'RSYSLOG_DebugFormat', fromhost-ip: '127.0.0.1', HOSTNAME: 'RSYSLOG_DebugFormat', PRI: 38,
syslogtag 'sshd[35206]:', programname: 'sshd', APP-NAME: 'sshd', PROCID: '35206', MSGID: '-',
TIMESTAMP: 'Nov 12 19:22:43', STRUCTURED-DATA: '-',
msg: ' Accepted keyboard-interactive/pam for spiky from 192.168.1.2 port 61757 ssh2'
escaped msg: ' Accepted keyboard-interactive/pam for spiky from 192.168.1.2 port 61757 ssh2'
inputname: imuxsock rawmsg: '<38>Nov 12 19:22:43 sshd[35206]: Accepted keyboard-interactive/pam for spiky from 192.168.1.2 port 61757 ssh2'
```

rsyslog thinks the hostname is RSYSLOG_DebugFormat?

Let's compare that to a normal log entry from the physical host:


```
FROMHOST: 'beasty', fromhost-ip: '127.0.0.1', HOSTNAME: 'beasty', PRI: 38,
syslogtag 'sshd[37054]:', programname: 'sshd', APP-NAME: 'sshd', PROCID: '37054', MSGID: '-',
TIMESTAMP: 'Nov 12 19:30:27', STRUCTURED-DATA: '-',
msg: ' Accepted keyboard-interactive/pam for root from 192.168.1.2 port 48641 ssh2'
escaped msg: ' Accepted keyboard-interactive/pam for root from 192.168.1.2 port 48641 ssh2'
inputname: imuxsock rawmsg: '<38>Nov 12 19:30:27 sshd[37054]: Accepted keyboard-interactive/pam for root from 192.168.1.2 port 48641 ssh2'
```


----------



## SirDice (Nov 13, 2013)

Make sure DNS or your hosts file is able to resolve 192.168.1.2.


----------



## spiky (Nov 13, 2013)

Thanks for your reply. When sending logs through network, I know that the receiver must be able to resolve the sender. But here, I'm forcing a hostname (the one of my jail, "slinky") when the logs are received through a particular Unix socket. Nonetheless, I've put "slinky" and its IP in the /etc/hosts of the physical host ("beasty") and of the jail but it still doesn't work :\


----------



## taurrus (Dec 9, 2013)

I have the exact same problem:

```
root:~ # uname -a
FreeBSD domovoy.in.ua 9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255983: Wed Oct  2 18:02:03 EEST 2013     root@domovoy.in.ua:/usr/obj/usr/src/sys/DOMOVOY  amd64
root:~ # pkg_info | grep rsyslog
rsyslog-7.4.4_1     Syslogd supporting SQL, TCP, and TLS
```

My rsyslog.conf:

```
module(load="imuxsock") # needs to be done just once
input(type="imuxsock" HostName="svn.domovoy.in.ua" Socket="/files/js/svn/var/run/log")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup wheel
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$template DebugFormat, "%timegenerated% Inputname:%inputname% Hostname:%hostname% Source:%source% From IP:%fromhost-ip% From Host:%fromhost% TAG from the message:%syslogtag% Facility \"%syslogfacility-text% \(%syslogfacility%\)\", Severity \"%syslogseverity-text% \(%syslogseverity%\)\"%msg:::drop-last-lf%\n"
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
$template SERVall,"/var/log/all.log"
*.* ?SERVall;DebugFormat
```
I have several jails: svn, mail, etc. In the SVN jail I send the command `root@svn:/ # logger System TEST` and in the log file I get:

```
Dec  9 16:29:39 Inputname:imuxsock Hostname:domovoy Source:domovoy From IP:127.0.0.1 From Host:domovoy TAG from the message:taurus: Facility "user (1)", Severity "notice (5)" System TEST
```
Why not change the name of the sender to a specified one? It should be "svn.domovoy.in.ua". What could be the problem?


----------

