-
Notifications
You must be signed in to change notification settings - Fork 460
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HOST macro problems when ending messages between syslog-ng instances via OTLP/gRPC #4729
Comments
Is it perhaps keep-hostname(no) on the receiving end? |
No. It's an almost default openSUSE syslog-ng.conf:
And if you take a closer look at the macros on the receiving side, you will find an interesting one |
On Sat, Dec 2, 2023, 17:16 Peter Czanik ***@***.***> wrote:
No. It's an almost default openSUSE syslog-ng.conf:
#
# Global options.
#
options { chain_hostnames(off); flush_lines(0); perm(0640); stats(freq(3600)); threaded(yes); };
Keep-hostname(no) is the default.
This may be surprising for not syslog traffic though.
And if you take a closer look at the macros on the receiving side, you
will find an interesting one "SOURCEIP":"127.0.0.1" as if the log is
originating from the localhost. Is this macro copied over from the source
host? It is not really clear for me, which name-value pair is coming from
the original message, and what is populated by the destination host.
I think that value is simply not populated.
—
… Reply to this email directly, view it on GitHub
<#4729 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFOK5QAC6ZMXAZCCWXS44LYHNH6FAVCNFSM6AAAAAA737XT32VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZXGE4TGNBYGM>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
When using the following config with a syslog() source on the same host:
I get the following logs:
and the same as JSON:
So, HOST, HOST_FROM, and SOURCEIP are all set to the IP address where the log is coming from, when using the syslog() source, but set to "127.0.0.1" and "tumbleweed" when using syslog-ng-otlp() source. |
@bazsi I did a few more experiments while testing syslog-ng-otlp() on RHEL9 (to do fucntional testing of your RHEL9 patch). If I use keep-hostname(yes) then:
If keep-hostname(no) then:
Where localhost is the hostname of the RHEL 9 machine. Name-value pairs are even more interesting. In the first case: "HOST":"fedora" but, "LOGHOST":"localhost" and "HOST_FROM":"localhost". For keep-hostname(no), all three name-value pairs are set to "localhost" (on the positive side: OpenTelemetry support on RHEL 9 works with your patch, and with the same bug as on other platforms :-) ) |
I wanted to learn about OpenTelemetry. Before looking at other log sources / destinations I wanted to get OTLP working between two syslog-ng instances.
The sender host is called
fedora
, and has the following config:The receiving host is called
tumbleweed
, and has the following config:Expectation: I see the same log on both hosts:
Reality: on the receiving host the log created on
fedora
looks like:Next I created file destinations with JSON formatting and printed all name-value pairs on both hosts.
Output of
logger bla
on the source side:The same log on the receiver side:
As you can see, on the receiving host all host related macros are set to
tumbleweed
instead offedora
, except for .journald.HOSTNAME.The text was updated successfully, but these errors were encountered: