<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#0050d0">
<br>
<br>
Sent: Mon Aug 29 2011 15:20:51 GMT-0600 (MST)<br>
From: Matt Zagrabelny <a class="moz-txt-link-rfc2396E" href="mailto:mzagrabe@d.umn.edu"><mzagrabe@d.umn.edu></a><br>
To: Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a> <br>
Subject: [syslog-ng] malformed syslog packets?
<blockquote
cite="mid:CAOLfK3WK3hFkt+Oab84pnCZc4540Y-Gko2FwJyV8Ga3y_vx3qg@mail.gmail.com"
type="cite">
<pre wrap="">Hi!
I've got a central log server running the OSE 3.1.3 version of syslog-ng:
dpkg -l syslog-ng
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Description
+++-========================================-========================================-================================================================================================
ii syslog-ng 3.1.3-3
Next generation logging daemon
I have dns lookup turned on via:
options {
use_dns(yes);
dns_cache(2000);
dns_cache_expire(87600);
};
And this seems to work just fine...except for a certain type of device
on our network.
We have a number of UPSes that log to our central log server and it
seems that the dns look ups do not work for those (types of devices).
% cd /var/log/syslog-ng/remote_clients
% ls -d 10.*
10.25.32.4 10.25.5.15 10.25.5.19 10.25.5.26 10.25.5.35 10.25.5.4
10.25.5.44 10.25.5.51 10.25.5.6 10.25.5.65 10.25.5.69
10.25.5.76
10.25.5.1 10.25.5.16 10.25.5.2 10.25.5.27 10.25.5.36 10.25.5.40
10.25.5.49 10.25.5.52 10.25.5.60 10.25.5.66 10.25.5.7
10.25.5.79
10.25.5.10 10.25.5.17 10.25.5.20 10.25.5.28 10.25.5.37 10.25.5.41
10.25.5.5 10.25.5.55 10.25.5.61 10.25.5.67 10.25.5.72
10.25.5.81
10.25.5.14 10.25.5.18 10.25.5.23 10.25.5.3 10.25.5.38 10.25.5.43
10.25.5.50 10.25.5.58 10.25.5.62 10.25.5.68 10.25.5.75 10.25.5.9
When I look up those IP addresses, they are *all* APC batteries (UPSes).
For instance:
% dig -x 10.25.5.43 +short
kplz246Abat1.d.umn.edu.
Is it possible that they are sending some sort of munged data to the
log server and syslog-ng is not able to perform the (reverse) name
lookup?
Any advice?
Thanks, much!
-Matt Zagrabelny
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<br>
What macro are you using for the file name?<br>
</body>
</html>