On Mon, 2007-01-15 at 12:52 -0600, Ivey, Chris wrote:
Thanks Bazsi. I finally got to the bottom of this, quite on accident. On a whim (since nothing else was working), I changed the destination for forwarding from hostnames to IP addresses. After I stopped and restarted the syslog-ng service, all worked well. I noticed in all my ltrace outputs that syslog-ng was performing a LOT of DNS queries when spoofing was on and we were using hostnames as the targets. There is not a local DNS server with this syslog-ng server, so the queries were taking quite a bit of time to come back (50-60 ms). Once I made the change to IP addresses, everything worked much better. I have now set my other syslog-ng server to use IP addresses instead of hostnames for forwarding as well.
Whoever runs the syslog-ng FAQ on campin.net may need to know that if you have performance issues, switching your targets to IP addresses instead of hostnames may clear up some issues.
Can you explain to me, though, why the spoofing needs to do so many nslookups? Why can it not cache the results of the first query? Does the application block waiting for DNS queries to come back? That may need to be addressed.... Thanks!
Sure, this is a bug. When I add spoof-source support to 2.0.x, I'll take care of this. -- Bazsi