On Mon, 2010-11-29 at 15:51 -0500, w3euu wrote:
I just completed an upgrade from source on several (6) systems from syslog-ng 3.1.1 (OSE) to 3.1.2 and then 3.1.3. All of them went smoothly, without error. However, after the upgrade to 3.1.2, one of the systems began reporting the hostname as "localhost" rather than the correct host name. The problem persisted when I upgraded to 3.1.3. When I roll it back to 3.1.1 it reports the hostname correctly.
I assume you see "localhost" on the central log server, right?
I see "localhost" on the central server and also on the tcp link going from the failed (client) server to the central server -- as observed on the offending system.
All of the systmes are fedora. Some are fc13, some are fc14. The system that failed is fc14. It is forwarding its logs to a central logger via tcp.
tcpdump is running on the client machine, and monitoring the traffic leaving that machine, before it gets to the central server.
Hmm.. is this tcpdump running on the traffic between the client and the central server? Because of keep_hostname(no) setting in your server's settings, it doesn't matter what is on the wire.
Tcpdump is running on the client. The problem seems to be there, not on the central server.
Since you are using keep_hostname(no), this means that the syslog-ng server will always use the resolved name as the hostname, rather than the one provided by the client.
I am 95% sure I tried keep_hostname(yes) on the client earlier, and it made no difference. I can try again if you think that's the problem.
Can you show what tcpdump has shown on the wire traffic? Also, can you strace syslog-ng for a short while and see if syslog-ng is trying to resolve hostnames? (although syslog-ng will definitely cache hostnames, so that will only work for the first occasion as syslog-ng receives a message from the offending system).
I have attached tcpdump and strace outputs. Both tcpdump and strace are running on the "offending" system. It is running syslog-ng version 3.1.3. Not sure that the strace is what you want as I am new to that program. Let me know in greater detail what you need if this isn't it.
strace is not what I wanted, you should have followed the child process like this: strace -s 256 -o /tmp/strace.dmp -f /sbin/syslog-ng See this chapter in the documentation: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid... (you may need to replace the path of syslog-ng as the documentation assumes the paths used by our binary installer) But anyway, I have an idea: do you have the hostname set on the client host properly? syslog-ng uses the gethostname() call to determine the hostname. And if that is not fully qualified, it'll attempt to do the same with reverse DNS (e.g. most probably from /etc/hosts). Here's the pseudo code that does the hostname lookup (original in the function reset_cached_hostname() in misc.c): local_hostname_fqdn = gethostname(local_hostname_fqdn); if (local_hostname_fqdn has no '.' character in it (e.g. not fully qualified)) { /* not fully qualified, resolve it using DNS or /etc/hosts */ local_hostname_fqdn = gethostbyname(local_hostname_fqdn); } e.g. it'll try to resolve the name returned by gethostname() (e.g. the contents of /etc/hostname on most distros) using /etc/hosts. -- Bazsi