On Tue, Mar 05, 2002 at 11:50:50AM +0100, Gregor Binder wrote:

Another option would be to use_dns(yes) and keep_hostname(no), which could lead to a performance problem (use some sort of DNS caching on the syslog-ng server). This produces Mar 5 12:06:01 src@proxy/proxy.westend.com /USR/SBIN/CRO... but the filename still is /var/log/remote/proxy.2002-03-05 other hosts, that are running no syslog-ng do have FDQN Hostnames in their filename.

ngrep sniff: U 192.168.XXX.XXX:59513 -> 192.168.XXX.YYY:514 <31>Mar 5 12:10:12 src@proxy/proxy.d.westend.com slapd[9011]: conn=10 65 op=2376 RESULT err=0 tag=97 nentries=0. Can I get syslog to write the first "proxy" as FQDN just as the last string without changing the normal OS hostname (uname -n)? (I mean it's a *host*name, so use_fqdn(on) should add the domain name itself) thanks, -christian- -- Christian Hammers WESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 ch@westend.com Internet & Security for Professionals Fax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified

Hi On Tue, Mar 05, 2002 at 12:50:12PM +0100, Gregor Binder wrote:

You can keep_hostname(no), but then their has to be some kind of mechanism to resolve the FQDN. DNS should work fine and do what you want if you turn off keep_hostname(). I found out, that the chain_hostnames(yes) makes problems here although keep_hostname was turned off both times!

a) chain_hostnames(no): proxy.d.westend.com.2002-03-05 Mar 5 13:22:54 proxy.d.westend.com slapd.... b) chain_hostnames(yes): proxy.2002-03-05 Mar 5 13:19:39 src@proxy/proxy.d.westend.com slapd... Konfigurations: collector, syslog-ng 2.5.13: long_hostnames(yes); use_dns(yes); use_fqdn(yes); keep_hostname(no); exporter, syslog-ng 2.5.15 long_hostnames(yes); use_dns(yes); use_fqdn(yes); keep_hostname(yes); cain_hostnames(no); bye, -christian- -- Christian Hammers WESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 ch@westend.com Internet & Security for Professionals Fax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified

On Tue, Mar 05, 2002 at 01:04:06PM +0100, Michael Renner wrote:

Baszi, would it be possible to include some sort of short-time dns cache in syslog-ng, so that it'll only check for updated dns records, say, every minute?

<mode value="soapbox"/> Including DNS cacheing into syslog-ng will not remove a point of failure, it will increase the complexity of a specialized service, allowing it to fail in a greater number of places. The power of UNIX programming, and one of its tennants, is in the idea that each tool performs /one/ job well. syslog-ng is optimized to receive, format, and store/redirect logs from local and remote machines, and it does an exceptional job. A local DNS cache server is designed for one job, providing a system-wide service for all applications. If it's not doing an exceptional job, then concentrate on fixing that daemon, not adding yet another layer of complexity to syslog-ng. When one starts to engineer software into virtual "swiss army knives", one sacrifices the flexibility and power that the UNIX programming philosophy provides. <mode value="lurk"/> -- Chad Walstrom <chewie@wookimus.net> | a.k.a. ^chewie http://www.wookimus.net/ | s.k.a. gunnarr Get my public key, ICQ#, etc. $(mailx -s 'get info' chewie@wookimus.net)

On Tue, Mar 05, 2002 at 09:10:48AM -0800, Brian Thomas wrote:

I'm inclined to agree with the lurker. :)

Thanks. ;-) It's nice to feel supported.

Isn't this what nscd is designed to do anyway? Wouldn't it make more sense to recommend the use of nscd-or-equivalent if using hostname lookups?

Yes. nscd is a GNU Lib C specific daemon that works in conjunction with the Name Service Switch to cache passwd, group, and host lookups. These C library function calls (getpwent(3), getgrent(3), and gethostbyname(3)) are configured via the /etc/nsswitch.conf file to query different sources for the requested information. nscd caches these queries. As with any caching scheme, there are inherent security risks to consider. nscd does not run as a network daemon, so you do not need to worry about open network sockets. Unsynchronized passwords could be a problem, but if you shut off or reduce the TTL for passwd caching, you minimize that potential problem. In the case of NIS workstations, we turn down the TTL to 1 minute. passwd file lookups for uid then doesn't have to hit the NIS server for each call, but passwords are sync'd relatively quickly. In the case of servers, we shut it off completely. One can always force the dumping of cache tables at any time through the nscd commandline interface. We do use the host name caching and default it to about 6 minutes, but we're also doing some network rearranging. I think it'd be reasonable to cache a host name for fifteen minutes to an hour. It's quite interesting to see the statistics on the number of hits to each table in cache. 'nscd -g' -- Chad Walstrom <chewie@wookimus.net> | a.k.a. ^chewie http://www.wookimus.net/ | s.k.a. gunnarr Get my public key, ICQ#, etc. $(mailx -s 'get info' chewie@wookimus.net)