----- Original message -----
Hello there, My syslog-ng is logging fine from 700 servers but a few times per day it is logging into a wrong folder which is created by the $HOST variable. Normally syslog should use a hostname like host-1.worker.foobar.com but a few times a day it creates a folder names like:
4.22 p6-allrouter? p6-localnet p6-mc? p6-mcastpref p6-mcastpref? host-1.worker.foobar.xcom and other weird names...
It only logs one or two lines and then uses the right folder again. Does anyone have a clue where I have to look for the problem?
Here are the option line from the server and the client:
Client: @version: 3.3 options { threaded(yes);
use_dns(yes); use_fqdn(yes); dns_cache(yes); dns_cache_size(16384); dns_cache_expire(3600); dns_cache_expire_failed(10);
log_msg_size(256000); log_fifo_size(100000);
normalize_hostnames(yes); check_hostname(yes); bad_hostname("^gconfd$");
create_dirs(yes); owner("root"); group("root"); perm(0640);
time_reopen(30); };
Server:
options { threaded(yes); owner("root"); group("root"); perm(0660);
dir_owner("root"); dir_group("root"); dir_perm(0770); create_dirs(yes);
chain_hostnames(no); normalize_hostnames(yes); check_hostname(yes); keep_hostname(no);
use_fqdn(yes); dns_cache(yes); dns_cache_size(16384); dns_cache_expire(3600); dns_cache_expire_failed(60);
log_msg_size(256000); log_fifo_size(1000000); };
Destination example: destination d_syslog { file("/log/syslog/${R_YEAR}/${R_MONTH}/${R_DAY}/$HOST/$PROGRAM"); };
keep-hostname() is false in your case, which means it resolves hostnames from dns and /etc/hosts Isn't it possible that you get ipv6 traffic from special addresses, and those are resolved onto the names it uses? can you run tcpdump on the server to confirm? do you have ipv6 source configured?