Actually it's the precisely correct number of digits: 163181224153 -> 163.181.224.153. I also get similar results from subnets that don't match up quite so nicely. For example: 16318110115 -> 163.181.10.115, or 163.181.101.15 So I don't think it's a "packed IP -> hostname" problem; I think there might be something buggy in the DNS lookup code where somehow the source IP address gets b0rked into a decimal IP address without periods somehow. I doubt that the hosts are sending out incorrect data, as I have never *ever* seen this behavior before switching to syslog-ng. Paul Krizak 5900 E. Ben White Blvd. MS 625 Advanced Micro Devices Austin, TX 78741 Linux/Unix Systems Engineering Phone: (512) 602-8775 Microprocessor Solutions Sector Cell: (512) 791-0686 Balazs Scheidler wrote:
On Wed, 2006-04-05 at 11:35 -0500, Paul Krizak wrote:
I'm using the $HOST macro in a template, the relevant configuration bits being:
template t_human_readable { template("$R_FULLDATE $HOST $FACILITY.$PRIORITY $MESSAGE\n"); template-escape(no); };
source s_external_syslog { udp(port(514)); };
destination d_big_messages { file ( "/var/log/logs/messages.log" template(t_human_readable) owner(root) group(root) perm(0644) ); };
log { source(s_external_syslog); destination(d_big_messages); };
The weird thing is that occasionally the $HOST field shows up as the IP address, but without dots, i.e. 163181224153. I haven't really discovered a pattern to it yet, but I'm wondering if maybe it's a bug in the DNS caching code. I'm using pretty large values:
dns_cache(yes); dns_cache_size(10000); dns_cache_expire(3600); dns_cache_expire_failed(30);
I'm about sure that it is not affected as in syslog-ng 2.0 these options are currently ignored as there's no dns cache (yet).
The hostname that you quote above cannot be an IP address as it contains too many digits. Isn't it possible that the host sometimes sends this hostname in the message itself? If keep_hostname() is enabled, then the one in the syslog message is used instead of the reverse-resolved one.