Wow, old thread of mine. It appears to be disk/load related on the syslog server itself. These messages only appear in the middle of the night when a find job runs on the directories and files syslog-ng writes to and deletes old files (syslog-ng writes to files with a datestamp in the filename). When I don't run this script I don't have any problems. Funny thing is this happens on my boxes that are Netra 1125's, dual 400Mhz procs, 18GB 10000 RPM disks, but doesn't happen on my boxes that are Ultra 1's, single 84Mhz prco, 9GB 7200 RPM disks. Go figure. We're moving this stuff onto new hardware on a SAN so hopefully the problems will go away then. Rob Glasser -----Original Message----- From: Unger, Christian [mailto:C.unger@st-ag.de] Sent: Tuesday, June 10, 2003 11:33 PM To: syslog-ng@lists.balabit.hu Subject: AW: [syslog-ng]DNS Problem? May you using, Windows 2000 ADS integraded DNS Servers. Then you should look into you logfiles of the Windows box. The 2000 DNS Server dies some time on havy load. MS knows that problem and so the DNS kommt with a autorestart funktion. But you can get a dns time out during the restart. Or your ADS is in combination with Exchange 2000, so the DNS (DC Server) has some time havy load during the LDAP querys from Exchange. The DNS Respons now needs extremly long. If you have this you should need 3 DS in the primary Exchange 2000 Site and split the Exchange querys over the tree global catalog Server. Thas my 2000 knowlage ;) I hope it helps someone. -----Ursprüngliche Nachricht----- Von: Glasser, Rob [mailto:rob.glasser@attws.com] Gesendet: Mittwoch, 11. Juni 2003 00:50 An: syslog-ng@lists.balabit.hu Betreff: RE: [syslog-ng]DNS Problem? These are internal systems located in the same datacenter although not necessarily on the same network. reverse lookups work, in fact for any system that has a problem, it's usually only one message out of hundreds for the day that has the problem, all other messages from those systems resolve fine. Rob Glasser desk (425)288-2562; cell (206)915-4327 rob.glasser@attws.com / 2069154327@mobile.att.net -----Original Message----- From: Nicholas Bernstein [mailto:nick@docmagic.com] Sent: Tuesday, June 10, 2003 3:47 PM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]DNS Problem? First off, what hosts are they failing to resolve? If they are hosts from somewhere out on the internet, they might not have an in-addr.arpa address associated with the ip, and may not be reverse lookup-able. Have you tried to verify that the systems can look up the ip? E.G. 'host a.b.c.d '? On Tue, 2003-06-10 at 15:40, Glasser, Rob wrote:
I'm having some name lookup weirdness and not sure of the cause. Thought I'd post the scenario to the group before I start tweaking my configuration to see if it can be fixed.
First off, I'm running syslog-ng 1.6.0rc3, and on the systems I'm having problems, they are Sun Netra systems, dual procs, 2GB of memory, running Solaris 8. My options look like this:
log_fifo_size(2048); time_reopen(10); use_fqdn(yes); keep_hostname(no); use_dns(yes); dns_cache(yes); long_hostnames(off);
I have 2 servers with this configuration acting as centralized loghosts for a datacenter. They are identical boxes, running identical syslog-ng configurations, on the same VLAN as the DNS servers they point to.
Both of these boxes will periodically fail to lookup a name? and log an entry under it's IP address instead of it's fully qualified host name. There appears to be no pattern what so ever to it, and the log entries that get logged by IP are different on each syslog-ng server. The load on these systems is pretty minimal. The number of messages logged by IP address is averaging about 10 a day out of about 13000 messages being logged.
To make things even more interesting, I have a similar setup in another datacenter, but they are older smaller systems, only Ultra 1's, single proc, with only 128 MB of memory, running Solaris 2.6, acting as centralized servers for about 3 times the number of servers. The syslog-ng version and configuration is identical. On these systems I can not find any entries logged by IP address, everything appears to be working fine.
Any ideas what might be causing this? My gut reaction is to blame it on the DNS boxes since the problem is only happening in one data center and not another, but wanted to see if anyone else has already been down this road first.
Thanks
Rob Glasser AT&T Wireless UNIX Systems Administrator
-- +---------------------------------------------------------------+ | Nicholas Bernstein | nick@docmagic.com | | UNIX Systems Administrator | http://www.docmagic.com | | Document Systems Inc. | | | gpg: F706 8C4E 78FA DDDD 53A0 019F D983 FE28 2002 D1F3 | +---------------------------------------------------------------+ _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html