how to spoof hostname in syslog messages?

Question

I am logging messages like this in perl -

syslog ("LOG_INFO", "this is info");
syslog ("LOG_WARNING", "this is warning");

when I see these messages, I get this-

Nov 15 20:20:47 ubuntu tag-0.0.2[13399]: this is info
Nov 15 20:20:47 ubuntu tag-0.0.2[13399]: this is warning

The word "ubuntu" in syslog message happens to be host name of the local host.

Is there a way I can log locally and but specify a hostname?

My app processes data from other hosts and logs information about them. It will be great if I can specify the host name when I log messages, this way I can use third party tools easily as they can easily filter out logs based upon hostname.

btw, if I can add additional question- why are the logs not showing level of message? shouldn't I expect to see "info" in info syslog message I am logging ?

sarnold · Accepted Answer

Probably the easiest way to accomplish this task is to set the syslog to receive messages over the network. For rsyslog, this is often in /etc/rsyslog.conf:

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

I'm using UDP here because it is easy to do on just about any syslog daemon and demonstrating it is easy:

$ echo "<0>Oct 11 22:14:15 mymachine testing" | nc -u localhost syslog
^C
$ tail -1 /var/log/syslog
Oct 11 22:14:15 mymachine testing

In short: the represents the facility and priority, as described in section 4.1.1 of the RFC. The timestamp is highly specified in 4.1.2: in short, three-letter English month abbreviations, no leading 0 -- instead a leading space: Aug__8 rather than Aug_8 (underscores used because spaces collapse in code blocks). The hostname can't have any domain portions. IP addresses are fine, both IPv4 and IPv6.

You could also use Unix domain sockets (unix(7)) such as /dev/log. That would be more reliable than UDP.

how to spoof hostname in syslog messages?

Answers (2)

Related Questions