Thursday, April 19, 2018

Rsyslog hostname preservation in Ubiquiti Edge Router devices

This was tested and verified on an EdgeRouter X and a EdgeRouter PRO-8 running v1.9.7+hotfix.4

Ubiquiti Edge Router devices use rsyslog for syslog, but the default configuration does not preserve the FQDN of the router. This is causing complications in my Graylog/LibreNMS configuration.

After researching the problem I found that the three potential candidates to fix the issue are:

  1. The hostname in the /etc/hosts file needs to be set to the FQDN. I tried this, it had no effect on the syslog output.
  2. add "$PreserveFQDN on" to the syslog configuration. 
  3. Append "$LocalHostName host.name.org" to the rsyslog config. 
All three configurations were made in varying order, but nothing worked. I had (incorrectly) assumed that since they were using rsyslog and /etc/rsyslog.conf existed, that /etc/rsyslog.conf would be the correct config file to edit. I even tried adding a new config file in /etc/rsyslog.d/ to no avail. 

The only changes that seemed to take were in /etc/rsyslog.d/vyatta-log.conf. The "$PreserveFQDN on" syntax didn't seem to have any effect by itself, even though the system domain-name is set properly. 

I tried to manually set the FQDN in /etc/rsyslog.d/vyatta-log.conf by  manually appending "$LocalHostName host.name.org" and restarting the rsyslog service. Again, it had no effect. Finally, adding both "$LocalHostName host.name.org" *and* "$PreserveFQDN on" worked. 

I haven't tested to see if these changes will be persistent through web interface config changes, but at least it's a start. 

UPDATE: It gets weirder, most syslog messages are making it to the server with the FQDN....except anything related to PAM. Strange...