I am using the latest version of ose ng, and have an issue I am trying to resolve. We have hosts that resolve to multiple names via round robin dns. So ng is capturing logs from all of those, depending on how it was resolved during during the connection. For those types of hosts, I would like to configure ng to use hosts first, and fall back to dns resolution. Tried different combinations of configs, but it does not work this way. It either uses the hosts, or it does dns lookup. Thanks in advance for any tips on resolving this. Example: 10.0.0.1 resolve to www, app1, ftp I want to call it webserver in /etc/hosts, and if the entry matches, ng would just use that name. right now it creates 3 separate log files for the same host based on the name it's able to resolve at lookup.
I have used HOST_FROM to get the IP of the sending server. Might help and it saves a name lookup. Jim On Mon, Aug 13, 2018, 2:24 PM Oleg <olegr06@gmail.com> wrote:
I am using the latest version of ose ng, and have an issue I am trying to resolve. We have hosts that resolve to multiple names via round robin dns. So ng is capturing logs from all of those, depending on how it was resolved during during the connection. For those types of hosts, I would like to configure ng to use hosts first, and fall back to dns resolution. Tried different combinations of configs, but it does not work this way. It either uses the hosts, or it does dns lookup. Thanks in advance for any tips on resolving this.
Example: 10.0.0.1 resolve to www, app1, ftp I want to call it webserver in /etc/hosts, and if the entry matches, ng would just use that name. right now it creates 3 separate log files for the same host based on the name it's able to resolve at lookup.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Sorry for asking the basic, "have you turned it off and on again" question, but have you checked /etc/nsswitch.conf to make sure it's set to use hosts first? [cid:image001.png@01D3FCD9.6DFA7670]First they'll say it's impossible, then they'll say it was inevitable Clayton Dukes CEO LogZilla Corp m: 936-4NetOps (463-8677) a: 2900 N. Quinlan Park Rd, B240-341 Austin, TX 78732 w: logzilla.net<https://www.logzilla.net/> e: cdukes@logzilla.net<mailto:cdukes@logzilla.net> [http://cdn2.hubspot.net/hubfs/184235/dev_images/signature_app/twitter_sig.png]<https://twitter.com/logzilla> [http://cdn2.hubspot.net/hubfs/184235/dev_images/signature_app/linkedin_sig.p...] <https://www.linkedin.com/in/lzcdukes/> [cid:image004.png@01D41528.4B573AB0] The LogZilla platform provides unpreceded scale, data enrichment and automation for NetOps and SecOps teams freeing up millions in IT’s budget. From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Jim Hendrick <james.r.hendrick@gmail.com> Reply-To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Date: Monday, August 13, 2018 at 2:37 PM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Hosts before DNS I have used HOST_FROM to get the IP of the sending server. Might help and it saves a name lookup. Jim On Mon, Aug 13, 2018, 2:24 PM Oleg <olegr06@gmail.com<mailto:olegr06@gmail.com>> wrote: I am using the latest version of ose ng, and have an issue I am trying to resolve. We have hosts that resolve to multiple names via round robin dns. So ng is capturing logs from all of those, depending on how it was resolved during during the connection. For those types of hosts, I would like to configure ng to use hosts first, and fall back to dns resolution. Tried different combinations of configs, but it does not work this way. It either uses the hosts, or it does dns lookup. Thanks in advance for any tips on resolving this. Example: 10.0.0.1 resolve to www, app1, ftp I want to call it webserver in /etc/hosts, and if the entry matches, ng would just use that name. right now it creates 3 separate log files for the same host based on the name it's able to resolve at lookup. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Ccdukes%40logzilla.net%7Cad4b9ebad2614f3f83ea08d6014be142%7C17fac5c255634489bef45cda2e65588f%7C0%7C0%7C636697822756913887&sdata=1bkTAz4ZQ6SbP%2BcUw5UroOpcYYcQMomTwXnGK2sJlQ8%3D&reserved=0> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Ccdukes%40logzilla.net%7Cad4b9ebad2614f3f83ea08d6014be142%7C17fac5c255634489bef45cda2e65588f%7C0%7C0%7C636697822756923891&sdata=Un30FT8qROGeS5tJbCa78lZ1xuzQ5bte46%2F9x7RsSug%3D&reserved=0> FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Ccdukes%40logzilla.net%7Cad4b9ebad2614f3f83ea08d6014be142%7C17fac5c255634489bef45cda2e65588f%7C0%7C0%7C636697822756923891&sdata=bhvIMm77dtLVu6ZFqNJ3%2BT26%2BoddijiScnyKBoi8afQ%3D&reserved=0>
On 8/14/18 10:12 AM, Clayton Dukes wrote:
Sorry for asking the basic, "have you turned it off and on again" question, but have you checked /etc/nsswitch.conf to make sure it's set to use hosts first?
Not to be rude, but do you think that when you post to a mailing list you could suppress your obnoxiously long signature with embedded images? Your signature content literally 2,300X larger than the substance of the message. -- inoc.net!rblayzor XMPP: rblayzor.AT.inoc.net PGP: https://inoc.net/~rblayzor/
participants (4)
-
Clayton Dukes
-
Jim Hendrick
-
Oleg
-
Robert Blayzor