<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2658.34">
<TITLE>RE: [syslog-ng] Forwarding + Spoofing = Errors & Dropped Packets?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Thanks Bazsi. I finally got to the bottom of this, quite on accident. On a whim (since nothing else was working), I changed the destination for forwarding from hostnames to IP addresses. After I stopped and restarted the syslog-ng service, all worked well. I noticed in all my ltrace outputs that syslog-ng was performing a LOT of DNS queries when spoofing was on and we were using hostnames as the targets. There is not a local DNS server with this syslog-ng server, so the queries were taking quite a bit of time to come back (50-60 ms). Once I made the change to IP addresses, everything worked much better. I have now set my other syslog-ng server to use IP addresses instead of hostnames for forwarding as well.</FONT></P>
<P><FONT SIZE=2>Whoever runs the syslog-ng FAQ on campin.net may need to know that if you have performance issues, switching your targets to IP addresses instead of hostnames may clear up some issues.</FONT></P>
<P><FONT SIZE=2>Can you explain to me, though, why the spoofing needs to do so many nslookups? Why can it not cache the results of the first query? Does the application block waiting for DNS queries to come back? That may need to be addressed.... Thanks!</FONT></P>
<P><FONT SIZE=2>Chris Ivey</FONT>
</P>
<P><FONT SIZE=2>Affiliated Computer Services</FONT>
<BR><FONT SIZE=2>Enterprise Management Integration Services</FONT>
<BR><FONT SIZE=2>Infrastructure Management Senior Analyst</FONT>
</P>
<P><FONT SIZE=2>1120 Celebration Blvd.</FONT>
<BR><FONT SIZE=2>Celebration, FL 34747</FONT>
<BR><FONT SIZE=2>(321) 939-6540 Office</FONT>
<BR><FONT SIZE=2>8296-6540 Disney Tie-Line</FONT>
<BR><FONT SIZE=2>(407) 557-1072 Cell</FONT>
<BR><FONT SIZE=2>162*326905*19 Nextel Direct Connect</FONT>
<BR><FONT SIZE=2>chris.ivey@acs-inc.com</FONT>
</P>
<P><FONT SIZE=2>"When you find yourself in a hole, the best thing to do is stop digging!" -- Nick Stokes</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: syslog-ng-bounces@lists.balabit.hu [<A HREF="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</A>] On Behalf Of Balazs Scheidler</FONT>
<BR><FONT SIZE=2>Sent: Sunday, January 14, 2007 9:47 AM</FONT>
<BR><FONT SIZE=2>To: Syslog-ng users' and developers' mailing list</FONT>
<BR><FONT SIZE=2>Subject: RE: [syslog-ng] Forwarding + Spoofing = Errors & Dropped Packets?</FONT>
</P>
<P><FONT SIZE=2>On Thu, 2007-01-11 at 10:24 -0600, Ivey, Chris wrote:</FONT>
<BR><FONT SIZE=2>> Bazsi, </FONT>
<BR><FONT SIZE=2>> Thanks for your help thus far. After MUCH trial and error</FONT>
<BR><FONT SIZE=2>> with enabling and disabling things in syslog-ng.conf, and watching</FONT>
<BR><FONT SIZE=2>> "netstat -an" output after each attempt, I have narrowed this issue</FONT>
<BR><FONT SIZE=2>> down to something to do with spoofing. >From my starting</FONT>
<BR><FONT SIZE=2>> syslog-ng.conf file, if I do NOTHING but turn off spoofing, the Recv-Q</FONT>
<BR><FONT SIZE=2>> buffer stops filling and all is happy. If I turn on spoofing, those</FONT>
<BR><FONT SIZE=2>> buffers start filling again. I used tkdiff to compare my 2</FONT>
<BR><FONT SIZE=2>> syslog-ng.conf files side-by-side, and the only differences between</FONT>
<BR><FONT SIZE=2>> the 2 are the lines where the forward-to hosts are defined and where</FONT>
<BR><FONT SIZE=2>> the destinations are defined (the bad server has lines commented, the</FONT>
<BR><FONT SIZE=2>> good one does not). Lsof on both machines for syslog-ng shows the</FONT>
<BR><FONT SIZE=2>> same libraries opened and such. So, the question now is what happens</FONT>
<BR><FONT SIZE=2>> with spoofing that would cause all these issues? What does spoofing</FONT>
<BR><FONT SIZE=2>> do in the background that my server is unhappy about? Any insight</FONT>
<BR><FONT SIZE=2>> would be greatly appreciated!</FONT>
</P>
<P><FONT SIZE=2>As the server is "unhappy", it is probably some kind of spoof filtering,</FONT>
<BR><FONT SIZE=2>e.g. the default route of the server points to a different interface,</FONT>
<BR><FONT SIZE=2>and the server drops the packets because of this.</FONT>
</P>
<P><FONT SIZE=2>-- </FONT>
<BR><FONT SIZE=2>Bazsi</FONT>
</P>
<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>syslog-ng maillist - syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=2><A HREF="https://lists.balabit.hu/mailman/listinfo/syslog-ng" TARGET="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A></FONT>
<BR><FONT SIZE=2>Frequently asked questions at <A HREF="http://www.campin.net/syslog-ng/faq.html" TARGET="_blank">http://www.campin.net/syslog-ng/faq.html</A></FONT>
</P>
</BODY>
</HTML>