<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
Balazs Scheidler wrote:
<blockquote cite="mid:1257458810.26947.217.camel@bzorp.balabit"
type="cite">
<pre wrap="">On Wed, 2009-11-04 at 09:03 -0600, Jason Barrett wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
Balazs Scheidler wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Fri, 2009-10-30 at 14:23 -0500, Jason Barrett wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi all,
I'm relaying log messages from one syslog-ng server to another. At the
final stop, the only way I can get the $HOST macro to work is if I
enable dns resolution on server 1. Is this by design? Here are the
relevant configs:
----------------------------------------------------------------------
syslog-ng server 1 (relays to server 2):
chain_hostnames(yes);
keep_hostname(yes);
use_dns(no);
source s_udp { udp(port(514)); };
destination df_udpback { udp("192.168.1.157" port(514)); };
log { source(s_udp); destination(df_udpback); };
----------------------------------------------------------------------
syslog-ng server 2:
chain_hostnames(yes);
keep_hostname(yes);
use_dns(yes);
source s_udp { udp(port(514)); };
destination df_udp { file("/var/log/ics/$HOST/$YEAR/$MONTH/$DAY"); };
log { source(s_udp); destination(df_udp); };
----------------------------------------------------------------------
Sample log message on server 2:
Oct 30 09:35:03 10.12.24.46/10.12.24.46 %ASA-5-111005: 10.28.22.55 end
configuration: OK
10.12.24.46 is the correct IP address of the originating host, and $HOST
resolves to this IP address. I would prefer $HOST to resolve to the
hostname as it exists in the /etc/hosts file.
</pre>
</blockquote>
<pre wrap="">$HOST always resolves to the "HOST" portion of the syslog message.
syslog-ng can resolve only from /etc/hosts if you use these global
options:
options { use-dns(persist-only) dns-cache-hosts('/etc/hosts'); };
</pre>
</blockquote>
<pre wrap="">"$HOST always resolves to the "HOST" portion of the syslog message."
So if the syslog message's host field contains an IP Address, $HOST will always resolve to the IP address regardless of the use-dns setting?
</pre>
</blockquote>
<pre wrap=""><!---->
that depends on the keep-hostname() setting. It works like this
* message comes in with something in its "HOST" field, the message may
lack a hostname in which case syslog-ng _always_ adds one.
* syslog-ng decides whether it should trust the hostname field
(keep-hostname is set to yes it will trust it, if set to no it will not)
* if keep-hostname() is set to no, then syslog-ng will rewrite the HOST
field, possibly using DNS use-dns(yes)
Anything that refers to the HOST macro is done after this rewrite is
complete.
</pre>
</blockquote>
Thanks for the reply.<br>
<br>
Using keep-hostname(no), syslog-ng rewrites (or appends if
chain-hostname(yes)) the hostname using the source IP of the packet.
Unfortunately, I trust the original IP address, I just want to resolve
it to a name. I think the only way to accomplish this is to use the
spoof-source option or rewrite the hostname at the first syslog-ng
hop. Is this accurate?<br>
</body>
</html>