Why do some of my logs use Localhost and others Hostname - Different Servers

logs hostname rsyslog

7,883

https://wiki.archlinux.org/index.php/rsyslog#Configure_Hostname

Rsyslog uses the glibc routine gethostname() or gethostbyname() to determine the hostname of the local machine. The gethostname() or gethostbyname() routine check the contents of /etc/hosts for the fully qualified domain name (FQDN) if you are not using BIND or NIS.

More specifically, if the localhost entry for your IP comes first in /etc/hosts, then it will take precedence.

(Assuming that files is the first value in the hosts: line in /etc/nsswitch.conf. Or alternatively, that your hostname cannot be resolved using DNS).

The Arch Wiki page goes on to explain:

You can check what the local machine's currently configured FQDN is by running hostname --fqdn. The output of hostname --short will be used by rsyslog when writing log messages. If you want to have full hostnames in logs, you need to add $PreserveFQDN on to the beginning of the file (before using any directive that write to files). This is because, rsyslog reads config file and applies it on-the-go and then reads the later lines.

The /etc/hosts file contains a number of lines that map FQDNs to IP addresses and that map aliases to FQDNs. See the example /etc/hosts file below:

/etc/hosts
#<ip-address> <hostname.domain.org>   <hostname>
#<ip-address>      <actual FQDN>                       <aliases>
127.0.0.1 localhost.localdomain somehost.localdomain  localhost somehost
::1               localhost.localdomain somehost.localdomain  localhost somehost
localhost.localdomain is the first item following the IP address, so gethostbyname() function will return localhost.localdomain as the local machine's FQDN. Then /var/log/messages file will use localhost as hostname.

To use somehost as the hostname. Move somehost.localdomain to the first item:

/etc/hosts
#<ip-address> <hostname.domain.org>                           <hostname>
#<ip-address>      <actual FQDN>                                              <aliases>
127.0.0.1 somehost.localdomain localhost.localdomain  localhost somehost
::1               somehost.localdomain localhost.localdomain  localhost somehost

It might be hard to tell exactly how the relevant information is selected from /etc/hosts (or the DNS) in various circumstances. Reading the source code again, I think rsyslog tries to resolve the system hostname (output of hostname command) into an FQDN.

I think this means where it says "gethostname or gethostbyname" above, it should really say "gethostname and gethostbyname". So those instructions could probably be improved, but they at least point you at the right place.

There is also a very similar question asked on the rsyslog-users mailing list.

7,883

FreeSoftwareServers

Updated on September 18, 2022

Comments

FreeSoftwareServers over 1 year
I am debugging something related to LDAP loggins, Ldap SSH Login not working - Same configs worked on 20+ other servers - Ubuntu and I noticed that in some servers, the logs use localhost and in others they have the hostname. Having the hostname seems to make the most sense, especially if we were to centralize the log files.

How is this configured? Why isn't it default to use hostname? Just kinda made me curious...

Examples :
```
Oct 29 11:23:56 daily sshd[20625]: pam_unix(sshd:session): session opened for user LDAPUSERNAME by (uid=0)
```
Or
```
Oct 29 10:56:36 localhost sshd[2560]: pam_unix(sshd:auth): check pass; user unknown
```
Update:
```
user@qa-ops:~$ hostname
qa-ops
user@daily:~$ hostname
daily.domain.com
```
Perhaps it has to do with Daily having a full domain name in hostname? I always thought /etc/hostname was just supposed to be the short part of the hostname, not the full hostname.domain.com etc.
FreeSoftwareServers over 7 years

Ill test this later and accept! Seems preferred to have a hostname in logs so id probably make this change to all my servers! Thanks for a really good answer.