On Wed, 2006-04-05 at 11:35 -0500, Paul Krizak wrote:
I'm using the $HOST macro in a template, the relevant configuration bits being:
template t_human_readable { template("$R_FULLDATE $HOST $FACILITY.$PRIORITY $MESSAGE\n"); template-escape(no); };
source s_external_syslog { udp(port(514)); };
destination d_big_messages { file ( "/var/log/logs/messages.log" template(t_human_readable) owner(root) group(root) perm(0644) ); };
log { source(s_external_syslog); destination(d_big_messages); };
The weird thing is that occasionally the $HOST field shows up as the IP address, but without dots, i.e. 163181224153. I haven't really discovered a pattern to it yet, but I'm wondering if maybe it's a bug in the DNS caching code. I'm using pretty large values:
dns_cache(yes); dns_cache_size(10000); dns_cache_expire(3600); dns_cache_expire_failed(30);
I'm about sure that it is not affected as in syslog-ng 2.0 these options are currently ignored as there's no dns cache (yet). The hostname that you quote above cannot be an IP address as it contains too many digits. Isn't it possible that the host sometimes sends this hostname in the message itself? If keep_hostname() is enabled, then the one in the syslog message is used instead of the reverse-resolved one. -- Bazsi