Sounds like a good idea. I'll try that and see what happens. Paul Krizak 5900 E. Ben White Blvd. MS 625 Advanced Micro Devices Austin, TX 78741 Linux/Unix Systems Engineering Phone: (512) 602-8775 Microprocessor Solutions Sector Cell: (512) 791-0686 Rob Munsch wrote:
Interesting - we're using a central syslog-ng host (stunnel, mysql, etc). The central host always knew its own hostname, but the remote clients were showing up as 127.0.0.1 for a while - tho dots were always present.
I now have keep_hostname(yes); use_dns(no);
on both the central and each client machine's config, and this has thus far always provided the correct hostname (since this causes $HOST to expand to whatever the client machine calls itself).
note that when keep_hostname wasn't explicitly yes on each client, as well as the server, i got some odd results. I don't recall the details of that, sorry >.<
Since caching isn't imped, perhaps try disabling use_dns completely and see if your answers change?
HTH,
Rob
Paul Krizak wrote:
Actually it's the precisely correct number of digits:
163181224153 -> 163.181.224.153. I also get similar results from subnets that don't match up quite so nicely. For example:
16318110115 -> 163.181.10.115, or 163.181.101.15
So I don't think it's a "packed IP -> hostname" problem; I think there might be something buggy in the DNS lookup code where somehow the source IP address gets b0rked into a decimal IP address without periods somehow.
I doubt that the hosts are sending out incorrect data, as I have never *ever* seen this behavior before switching to syslog-ng.
Paul Krizak 5900 E. Ben White Blvd. MS 625 Advanced Micro Devices Austin, TX 78741 Linux/Unix Systems Engineering Phone: (512) 602-8775 Microprocessor Solutions Sector Cell: (512) 791-0686
Balazs Scheidler wrote:
On Wed, 2006-04-05 at 11:35 -0500, Paul Krizak wrote:
I'm using the $HOST macro in a template, the relevant configuration bits being:
template t_human_readable { template("$R_FULLDATE $HOST $FACILITY.$PRIORITY $MESSAGE\n"); template-escape(no); };
source s_external_syslog { udp(port(514)); };
destination d_big_messages { file ( "/var/log/logs/messages.log" template(t_human_readable) owner(root) group(root) perm(0644) ); };
log { source(s_external_syslog); destination(d_big_messages); };
The weird thing is that occasionally the $HOST field shows up as the IP address, but without dots, i.e. 163181224153. I haven't really discovered a pattern to it yet, but I'm wondering if maybe it's a bug in the DNS caching code. I'm using pretty large values:
dns_cache(yes); dns_cache_size(10000); dns_cache_expire(3600); dns_cache_expire_failed(30);
I'm about sure that it is not affected as in syslog-ng 2.0 these options are currently ignored as there's no dns cache (yet).
The hostname that you quote above cannot be an IP address as it contains too many digits. Isn't it possible that the host sometimes sends this hostname in the message itself? If keep_hostname() is enabled, then the one in the syslog message is used instead of the reverse-resolved one.
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html