On Fri, 2009-01-09 at 16:54 -0500, Paul Robert Marino wrote:
I have one thing to add to this. I know this probably goes without saying but the reverse lookup should not be reliant on DNS. It should use the the systems native name resolution. I've often seen application programed to use only DNS for reverse resolution and in many of the secure environments I've worked in hosts files are used on loggers (also bastions, and firewalls) and DNS support is removed via the nsswhich.conf to make them impervious to DNS spoofing. DNS reliance is often a deal breaker on these hosts.
syslog-ng is capable of ignoring DNS while still resolving hosts from the local hosts file (/etc/hosts, or another with the same format) see dns-cache(persist-only) option.
-----Original Message-----
From: Balazs Scheidler <bazsi@balabit.hu> Subj: Re: [syslog-ng] Host/IP Macros in relay chains Date: Fri Jan 9, 2009 1:09 pm Size: 1K To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
On Fri, 2009-01-09 at 10:46 +0000, Pennington, Philip wrote:
Sandor,
Thanks for your comments and useful suggestions.
The requirement is somewhat complicated in that at a point along the chain, I need to have the originating hostname for host filtering purposes, whereas at the end of the chain, I need syslog-ng to present the IP. That's why I began talking about reverse name resolution on the last relay.
well, with syslog-ng 3.0 and parse/rewrite you could probably encode all the needed information into the message payload and the change it back at the endpoints.
see my blog about parse/rewrite capabilities: http://bazsi.blogs.balabit.com/2008/10/syslog-ng-message-parsing.html
or the what's new document: http://www.balabit.com/dl/guides/syslog-ng-v3.0-guide-whatsnew-en.pdf
the open source version of syslog-ng 3.0 is already released, although the official announcement is still due. -- Bazsi