The Gist

Where does rsyslog get the value of %HOSTNAME%?
Why does an application served by Tomcat have the correct %HOSTNAME%, but a console application with the same configuration has "unknown" as the hostname?

We're using rsyslog on an EC2 instance and we're trying to send our logs out to loggly. If I tail -f the log messages, I can see the log in the default format including date, hostname, tag, and message.

If I use logger "message" then I see a correct log entry both in the console and in loggly. However, if a java console application logs an event, the hostname is "unknown" both in the console and in loggly.

Oddly, the same configuration of rsyslog, syslog4j, and log4j results in the correct log entry if it comes from a web application hosted by tomcat.

Where does rsyslog get the value of %HOSTNAME%? Why does an application served by Tomcat have the correct %HOSTNAME%, but a console application with the same configuration has "unknown" as the hostname?

If there is not this line in rsyslog.conf add it and restart rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

I figured this out. In order to get the hostname I needed to map the hostname to the ip address in the hosts file. I actually thought this was happening already, but at the time the script runs to append the correct hosts entry, the IP address is unknown and just the hostname gets appended to the file.

I added the correct entry and the hostname appears as expected in rsyslog and loggly.

In the meantime, I had changed the loggly format from %HOSTNAME% to %$myhostname%. This worked fine for us because we weren't remote logging so $myhostname was always the correct hostname.