If a computer reboot before DNS server, syslog-ng disallows starting because it can't resolve IP address of loghost. It's akward because computer can't write in local destination. Thx. -- Jerome Peducasse
On Fri, Apr 26, 2002 at 02:57:54PM +0200, Jerome Peducasse wrote:
If a computer reboot before DNS server, syslog-ng disallows starting because it can't resolve IP address of loghost. It's akward because computer can't write in local destination.
you should either use IP addresses in your configuration, _or_ add loghost into your /etc/hosts -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Yes, of course but I like none of these propositions. I would like loghost stays independent of network updates (update of IP, subnet...). Is it not possible when a destination is unreachable (or unreadable, or ...) that syslog-ng logs an error in syslog.crit (if possible ;-)), continues its job and retries to open failed destination at next message. Thanks for your help and your indulgence. On Fri, Apr 26, 2002 at 03:02:44PM +0200, Balazs Scheidler wrote:
On Fri, Apr 26, 2002 at 02:57:54PM +0200, Jerome Peducasse wrote:
If a computer reboot before DNS server, syslog-ng disallows starting because it can't resolve IP address of loghost. It's akward because computer can't write in local destination.
you should either use IP addresses in your configuration, _or_ add loghost into your /etc/hosts
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
-- Jerome Peducasse Wanadoo Portails - Sophia Antipolis
On Fri, Apr 26, 2002 at 03:36:13PM +0200, Jerome Peducasse wrote:
Yes, of course but I like none of these propositions. I would like loghost stays independent of network updates (update of IP, subnet...).
I'm sorry Jerome but this is a common problem seen everywhere. Everyone else hardcodes a small number of critical IPs that their systems needs to have in their config files. These are usually loghosts, nameservers, time servers, NIS/NIS+ servers, etc. This is a fact of life. If you come up with something the rest of the world hasn't thought of, we're all ears. -- "Java is, in many ways, C++--." - Michael Feldman.
On Fri, Apr 26, 2002 at 07:15:53AM -0700, Nate Campi wrote:
On Fri, Apr 26, 2002 at 03:36:13PM +0200, Jerome Peducasse wrote:
Yes, of course but I like none of these propositions. I would like loghost stays independent of network updates (update of IP, subnet...).
I'm sorry Jerome but this is a common problem seen everywhere. Everyone else hardcodes a small number of critical IPs that their systems needs to have in their config files. These are usually loghosts, nameservers, time servers, NIS/NIS+ servers, etc.
This was before coffee, so I didn't explain the problem well. The issue with naming services is a chicken and egg problem. In order to use the DNS you need to use nameservers, but you can't refer to those nameservers by hostnames available only in the DNS. This is why resolvers use IPs for the local nameservers in their configuration. Many services start before the network is even up, so the only way to use any hostnames for these services is by using a name mapping mechanism that doesn't require network access. /etc/hosts comes to mind. If you're absolutely dying to have name services work for a few critical hosts, the answer should be obvious by now, maintain a central /etc/hosts file, and dist it out via rdist/rsync to all your hosts. This way you can modify it as needed (like the DNS) and use hostnames for services that may start before the DNS can be accessed. P.S. Time servers was a bad example of hard coded IP, I was just thinking of naming services and other services that start really early on before network based nameservices, like syslog. Again, it was before coffee ;) -- "First we thought the PC was a calculator. Then we found out how to turn numbers into letters with ASCII - and we thought it was a typewriter. Then we discovered graphics, and we thought it was a television. With the World Wide Web, we've realized it's a brochure." - Douglas Adams (1952-2001)
I'm agree with you but it's awkward that syslog-ng refuses start even if it can write in local destination (like syslogd). However, this "feature" assures syslog-ng works completely. On Fri, Apr 26, 2002 at 07:32:45AM -0700, Nate Campi wrote:
On Fri, Apr 26, 2002 at 07:15:53AM -0700, Nate Campi wrote:
On Fri, Apr 26, 2002 at 03:36:13PM +0200, Jerome Peducasse wrote:
Yes, of course but I like none of these propositions. I would like loghost stays independent of network updates (update of IP, subnet...).
I'm sorry Jerome but this is a common problem seen everywhere. Everyone else hardcodes a small number of critical IPs that their systems needs to have in their config files. These are usually loghosts, nameservers, time servers, NIS/NIS+ servers, etc.
This was before coffee, so I didn't explain the problem well. The issue with naming services is a chicken and egg problem. In order to use the DNS you need to use nameservers, but you can't refer to those nameservers by hostnames available only in the DNS. This is why resolvers use IPs for the local nameservers in their configuration.
Many services start before the network is even up, so the only way to use any hostnames for these services is by using a name mapping mechanism that doesn't require network access. /etc/hosts comes to mind.
If you're absolutely dying to have name services work for a few critical hosts, the answer should be obvious by now, maintain a central /etc/hosts file, and dist it out via rdist/rsync to all your hosts. This way you can modify it as needed (like the DNS) and use hostnames for services that may start before the DNS can be accessed.
P.S. Time servers was a bad example of hard coded IP, I was just thinking of naming services and other services that start really early on before network based nameservices, like syslog. Again, it was before coffee ;) -- "First we thought the PC was a calculator. Then we found out how to turn numbers into letters with ASCII - and we thought it was a typewriter. Then we discovered graphics, and we thought it was a television. With the World Wide Web, we've realized it's a brochure." - Douglas Adams (1952-2001)
-- Jerome Peducasse Wanadoo Portails - Sophia Antipolis
Hello Everyone, Sorry to post this again. But this problem is really starting to annoy me. I have a 8.2 Mandrake machine with working syslog-ng running as a Log Server. My problem is that the IPtables on the local machine is not logging to the syslog-ng. It only displays the log on the console and doesn't log to any file. Thanks in advance, Kaan
At 10:22 26.04.2002 -0400, you wrote:
Hello Everyone,
Sorry to post this again. But this problem is really starting to annoy me. I have a 8.2 Mandrake machine with working syslog-ng running as a Log Server. My problem is that the IPtables on the local machine is not logging to the syslog-ng. It only displays the log on the console and doesn't log to any file.
Is klogd or syslog-ng with a /proc/kmsg source configured/running? Do you have any other kernel messages in the logfiles? mfg/best regards -- Michael Renner Junior System Engineer Inode Telekommunikationsdienstleistungs GmbH - http://www.inode.at support@inode.at, Tel.: 05 9999-0, Fax.: 05 9999-2699
It WORKED!!!! I put the --file("/proc/kmsg");-- entry on syslog-ng.conf and ran the klogd with the -c 1 option.. Thanks -----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of Michael Renner Sent: Friday, April 26, 2002 10:28 AM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Iptables is not logging to sysylog-ng At 10:22 26.04.2002 -0400, you wrote:
Hello Everyone,
Sorry to post this again. But this problem is really starting to annoy me. I have a 8.2 Mandrake machine with working syslog-ng running as a Log Server. My problem is that the IPtables on the local machine is not logging to the syslog-ng. It only displays the log on the console and doesn't log to any file.
Is klogd or syslog-ng with a /proc/kmsg source configured/running? Do you have any other kernel messages in the logfiles? mfg/best regards -- Michael Renner Junior System Engineer Inode Telekommunikationsdienstleistungs GmbH - http://www.inode.at support@inode.at, Tel.: 05 9999-0, Fax.: 05 9999-2699 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
At 11:12 26.04.2002 -0400, you wrote:
It WORKED!!!!
I put the --file("/proc/kmsg");-- entry on syslog-ng.conf and ran the klogd with the -c 1 option..
Uhh, this was supposed to be a exclusive or, either syslog-ng with /proc/kmsg source OR klogd, both won't work because /proc/kmsg is a fifo (stuff disappears from it after it has been read). mfg/best regards -- Michael Renner Junior System Engineer Inode Telekommunikationsdienstleistungs GmbH - http://www.inode.at support@inode.at, Tel.: 05 9999-0, Fax.: 05 9999-2699
ok... Got that fixed. Thanks for the tip.. -----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of Michael Renner Sent: Friday, April 26, 2002 11:28 AM To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]Iptables is not logging to sysylog-ng At 11:12 26.04.2002 -0400, you wrote:
It WORKED!!!!
I put the --file("/proc/kmsg");-- entry on syslog-ng.conf and ran the klogd with the -c 1 option..
Uhh, this was supposed to be a exclusive or, either syslog-ng with /proc/kmsg source OR klogd, both won't work because /proc/kmsg is a fifo (stuff disappears from it after it has been read). mfg/best regards -- Michael Renner Junior System Engineer Inode Telekommunikationsdienstleistungs GmbH - http://www.inode.at support@inode.at, Tel.: 05 9999-0, Fax.: 05 9999-2699 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
-----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of Michael Renner Sent: Friday, April 26, 2002 11:28 AM To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]Iptables is not logging to sysylog-ng
At 11:12 26.04.2002 -0400, you wrote:
It WORKED!!!!
I put the --file("/proc/kmsg");-- entry on syslog-ng.conf and ran the klogd with the -c 1 option..
Uhh, this was supposed to be a exclusive or, either syslog-ng with /proc/kmsg source OR klogd, both won't work because /proc/kmsg is a fifo (stuff disappears from it after it has been read).
mfg/best regards
--
Michael Renner Junior System Engineer
What exactly does klogd do? was it separated from syslogd for Licensing issues? Is it safe to replace klogd with --file("/proc/kmsg"); ? Also, can you give an example of actual config that has this? Thanks a bunch
I have stopped using klogd. Here is what have done instead. source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); }; I have had no issues. ----- Original Message ----- From: "Victor" <victord@paid.com> To: <syslog-ng@lists.balabit.hu> Sent: Friday, April 26, 2002 2:16 PM Subject: Re: [syslog-ng]Iptables is not logging to sysylog-ng
-----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of Michael Renner Sent: Friday, April 26, 2002 11:28 AM To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]Iptables is not logging to sysylog-ng
At 11:12 26.04.2002 -0400, you wrote:
It WORKED!!!!
I put the --file("/proc/kmsg");-- entry on syslog-ng.conf and ran the klogd with the -c 1 option..
Uhh, this was supposed to be a exclusive or, either syslog-ng with /proc/kmsg source OR klogd, both won't work because /proc/kmsg is a fifo (stuff disappears from it after it has been read).
mfg/best regards
--
Michael Renner Junior System Engineer
What exactly does klogd do? was it separated from syslogd for Licensing issues? Is it safe to replace klogd with --file("/proc/kmsg"); ? Also, can you give an example of actual config that has this?
Thanks a bunch
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
On Fri, Apr 26, 2002 at 05:16:48PM -0400, Victor wrote: | What exactly does klogd do? was it separated from syslogd for Licensing | issues? Is it safe to replace klogd with --file("/proc/kmsg"); ? | Also, can you give an example of actual config that has this? klogd is meant to be a filter for certain kernel messages. Some messages (like those from iptables) are ordinary. Others, such as kernel panics, are generally logged in hex or some other human-unfriendly form. klogd understands these messages and converts them to a friendlier form. It is not necessary to run klogd, as syslogd or syslog-ng can parse /proc/kmsg just fine, but the information read from /proc/kmsg may not be very useful without the processing klogd does. -James
On Fri, Apr 26, 2002 at 05:16:48PM -0400, Victor wrote:
| What exactly does klogd do? was it separated from syslogd for Licensing | issues? Is it safe to replace klogd with --file("/proc/kmsg"); ? | Also, can you give an example of actual config that has this?
klogd is meant to be a filter for certain kernel messages. Some messages (like those from iptables) are ordinary. Others, such as kernel panics, are generally logged in hex or some other human-unfriendly form. klogd understands these messages and converts them to a friendlier form. It is not necessary to run klogd, as syslogd or syslog-ng can parse /proc/kmsg just fine, but the information read from /proc/kmsg may not be very useful without the processing klogd does.
-James
Ah, I see. Thanks. Makes sense now.
On Sun, Apr 28, 2002 at 02:01:54AM -0400, Victor wrote:
On Fri, Apr 26, 2002 at 05:16:48PM -0400, Victor wrote:
| What exactly does klogd do? was it separated from syslogd for Licensing | issues? Is it safe to replace klogd with --file("/proc/kmsg"); ? | Also, can you give an example of actual config that has this?
klogd is meant to be a filter for certain kernel messages. Some messages (like those from iptables) are ordinary. Others, such as kernel panics, are generally logged in hex or some other human-unfriendly form. klogd understands these messages and converts them to a friendlier form. It is not necessary to run klogd, as syslogd or syslog-ng can parse /proc/kmsg just fine, but the information read from /proc/kmsg may not be very useful without the processing klogd does.
Ah, I see. Thanks. Makes sense now.
klogd preprocessing is deprecated, everybody suggests to use ksymoops instead. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Fri, Apr 26, 2002 at 03:36:13PM +0200, Jerome Peducasse wrote:
Yes, of course but I like none of these propositions.
I would like loghost stays independent of network updates (update of IP, subnet...).
Is it not possible when a destination is unreachable (or unreadable, or ...) that syslog-ng logs an error in syslog.crit (if possible ;-)), continues its job and retries to open failed destination at next message.
Thanks for your help and your indulgence.
Hmm... well you could use DHCP to propagate values such a what IP addess is the loghost. The machines logging need not actually use DHCP for there networking, just run an agent to get the info. Then you the IP address in your configuration. This could be combined with a DNS lookup, thus giving you two information sources should one become unavailable. As a backup, should none of these source yeild you anything having the last known loghost IP address stored locally on the machine might be a good idea. Even if the address is wrong, its not much worse than not logging. But if the address is correct, we are off to the races. You could combine this with a cron job that repeatedly tries to resolve/DHCP Query for the loghost IP. When found, remove the cron job, and restart syslog-ng with the IP found (also update the locally stored IP). While the above method will work, I give a caution. DNS gets screwed (typos have screwed me over more than I like admit), and DNS/DHCP can be easily spoofed. Your hosts file is not as easily messed with. This is why I like hard coding loghost IP addresses. ---------------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt@cpsc.ucalgary.ca University Of Calgary (_)/(_) http://pages.cpsc.ucalgary.ca/~arlt/ Computer Science
At 14:57 26.04.2002 +0200, you wrote:
If a computer reboot before DNS server, syslog-ng disallows starting because it can't resolve IP address of loghost. It's akward because computer can't write in local destination.
I think it's very awkward to code a workaround for this problem (like postponing failed dns lookups in the config file). What about replacing the hostname with the ip of the syslog box or putting the hostname in /etc/hosts ? The main syslog server shouldn't switch ips too often. mfg/best regards -- Michael Renner Junior System Engineer Inode Telekommunikationsdienstleistungs GmbH - http://www.inode.at support@inode.at, Tel.: 05 9999-0, Fax.: 05 9999-2699
participants (9)
-
Balazs Scheidler
-
Brad Arlt
-
James Sneeringer
-
Jerome Peducasse
-
Jim Gifford
-
Kaan Saldiraner
-
Michael Renner
-
Nate Campi
-
Victor