When implementing centralized logging with rsyslogd, many administrators encounter situations where clients only send their short hostnames (e.g., "core1") instead of fully qualified domain names (e.g., "core1.example.com"). This becomes particularly problematic in environments where hostnames are reused across different domains.
rsyslogd's default behavior is to simplify hostnames when the remote host is in the same domain. While this reduces log size, it creates ambiguity in multi-domain environments. The $PreserveFQDN on directive should theoretically solve this, but often doesn't work as expected in older versions (like 4.2.0 in Ubuntu 10.04).
For modern rsyslogd versions (v8+), these configurations work reliably:
# On both client and server
$PreserveFQDN on
$EscapeControlCharactersOnReceive off
# On clients specifically
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.example.com
For legacy systems (like Ubuntu 10.04), additional measures are needed:
# Force FQDN in hostname field
$template CustomFormat,"%timegenerated% %HOSTNAME:::uppercase% %syslogtag%%msg%\\n"
$ActionFileDefaultTemplate CustomFormat
# Ensure DNS resolution works in reverse
local7.* /var/log/fullhostname.log
The system must be properly configured for DNS resolution:
- Ensure
/etc/hostslists the FQDN first - Verify
hostname -freturns the FQDN - Check reverse DNS resolution works for all clients
Use these commands to verify settings:
# Check what rsyslog is using as hostname
logger -p local7.info "FQDN test message"
tail -n 1 /var/log/fullhostname.log
# Verify network transmission
tcpdump -i eth0 -A port 514 | grep TESTMESSAGE
If native FQDN logging proves unreliable, consider:
# Using a custom template on the server
$template LongTag,"%timegenerated% %fromhost-ip% %fromhost% %syslogtag%%msg%\\n"
*.* /var/log/remote/%fromhost%.log;LongTag
# Or modify client messages before sending
$template fqdnformat,"%timegenerated% hostname -f %syslogtag%%msg%\\n"
*.* @@syslog.example.com;fqdnformat
For large deployments, consider upgrading to rsyslog v8+ where FQDN handling is more robust, or implement a log shipper like fluentd that can enrich logs with additional metadata.
When implementing centralized logging with rsyslog, many administrators encounter situations where short hostnames appear in logs despite having FQDNs configured. This becomes particularly problematic in environments with multiple domains or staging/production separation (e.g., core1.prod.example.com vs core1.stg.example.com).
The $PreserveFQDN on directive in rsyslog.conf only affects how rsyslog handles hostnames that already contain domain information. The key insight is that the directive doesn't force FQDN usage - it merely preserves domain information if it exists in the received message.
To ensure FQDNs appear in your logs, you need to force clients to send their FQDN in the first place. Add these configurations to your client's rsyslog.d files:
# Force FQDN in locally generated messages
$PreserveFQDN on
local0.* /var/log/local0.log;RSYSLOG_ForwardFormat
On your central logging server, modify your templates to explicitly capture and store FQDNs:
$template CustomFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg%\\n"
$ActionFileDefaultTemplate CustomFormat
Ensure your clients can properly resolve both forward and reverse DNS:
# Test forward resolution
hostname -f
# Test reverse resolution
dig -x $(hostname -i)
For environments where you absolutely need FQDN consistency, consider this more aggressive approach:
# /etc/rsyslog.d/50-force-fqdn.conf
$PreserveFQDN on
$template longhost,"%hostname:::uppercase%"
$template fqdn,"%$!longhost%"
$ActionForwardDefaultTemplate fqdn
- Verify rsyslog version supports FQDN features:
rsyslogd -v - Check if hostname resolution is working:
rsyslogd -dn - Test message flow:
logger -t TEST "FQDN verification message"