Hi all, I'm relaying log messages from one syslog-ng server to another. At the final stop, the only way I can get the $HOST macro to work is if I enable dns resolution on server 1. Is this by design? Here are the relevant configs: ---------------------------------------------------------------------- syslog-ng server 1 (relays to server 2): chain_hostnames(yes); keep_hostname(yes); use_dns(no); source s_udp { udp(port(514)); }; destination df_udpback { udp("192.168.1.157" port(514)); }; log { source(s_udp); destination(df_udpback); }; ---------------------------------------------------------------------- syslog-ng server 2: chain_hostnames(yes); keep_hostname(yes); use_dns(yes); source s_udp { udp(port(514)); }; destination df_udp { file("/var/log/ics/$HOST/$YEAR/$MONTH/$DAY"); }; log { source(s_udp); destination(df_udp); }; ---------------------------------------------------------------------- Sample log message on server 2: Oct 30 09:35:03 10.12.24.46/10.12.24.46 %ASA-5-111005: 10.28.22.55 end configuration: OK 10.12.24.46 is the correct IP address of the originating host, and $HOST resolves to this IP address. I would prefer $HOST to resolve to the hostname as it exists in the /etc/hosts file. Thanks!
On Fri, 2009-10-30 at 14:23 -0500, Jason Barrett wrote:
Hi all,
I'm relaying log messages from one syslog-ng server to another. At the final stop, the only way I can get the $HOST macro to work is if I enable dns resolution on server 1. Is this by design? Here are the relevant configs:
----------------------------------------------------------------------
syslog-ng server 1 (relays to server 2): chain_hostnames(yes); keep_hostname(yes); use_dns(no);
source s_udp { udp(port(514)); }; destination df_udpback { udp("192.168.1.157" port(514)); }; log { source(s_udp); destination(df_udpback); };
----------------------------------------------------------------------
syslog-ng server 2: chain_hostnames(yes); keep_hostname(yes); use_dns(yes);
source s_udp { udp(port(514)); }; destination df_udp { file("/var/log/ics/$HOST/$YEAR/$MONTH/$DAY"); }; log { source(s_udp); destination(df_udp); };
----------------------------------------------------------------------
Sample log message on server 2: Oct 30 09:35:03 10.12.24.46/10.12.24.46 %ASA-5-111005: 10.28.22.55 end configuration: OK
10.12.24.46 is the correct IP address of the originating host, and $HOST resolves to this IP address. I would prefer $HOST to resolve to the hostname as it exists in the /etc/hosts file.
$HOST always resolves to the "HOST" portion of the syslog message. syslog-ng can resolve only from /etc/hosts if you use these global options: options { use-dns(persist-only) dns-cache-hosts('/etc/hosts'); }; -- Bazsi
On Wed, 2009-11-04 at 09:03 -0600, Jason Barrett wrote:
Balazs Scheidler wrote:
On Fri, 2009-10-30 at 14:23 -0500, Jason Barrett wrote:
Hi all,
I'm relaying log messages from one syslog-ng server to another. At the final stop, the only way I can get the $HOST macro to work is if I enable dns resolution on server 1. Is this by design? Here are the relevant configs:
----------------------------------------------------------------------
syslog-ng server 1 (relays to server 2): chain_hostnames(yes); keep_hostname(yes); use_dns(no);
source s_udp { udp(port(514)); }; destination df_udpback { udp("192.168.1.157" port(514)); }; log { source(s_udp); destination(df_udpback); };
----------------------------------------------------------------------
syslog-ng server 2: chain_hostnames(yes); keep_hostname(yes); use_dns(yes);
source s_udp { udp(port(514)); }; destination df_udp { file("/var/log/ics/$HOST/$YEAR/$MONTH/$DAY"); }; log { source(s_udp); destination(df_udp); };
----------------------------------------------------------------------
Sample log message on server 2: Oct 30 09:35:03 10.12.24.46/10.12.24.46 %ASA-5-111005: 10.28.22.55 end configuration: OK
10.12.24.46 is the correct IP address of the originating host, and $HOST resolves to this IP address. I would prefer $HOST to resolve to the hostname as it exists in the /etc/hosts file.
$HOST always resolves to the "HOST" portion of the syslog message.
syslog-ng can resolve only from /etc/hosts if you use these global options:
options { use-dns(persist-only) dns-cache-hosts('/etc/hosts'); };
"$HOST always resolves to the "HOST" portion of the syslog message."
So if the syslog message's host field contains an IP Address, $HOST will always resolve to the IP address regardless of the use-dns setting?
that depends on the keep-hostname() setting. It works like this * message comes in with something in its "HOST" field, the message may lack a hostname in which case syslog-ng _always_ adds one. * syslog-ng decides whether it should trust the hostname field (keep-hostname is set to yes it will trust it, if set to no it will not) * if keep-hostname() is set to no, then syslog-ng will rewrite the HOST field, possibly using DNS use-dns(yes) Anything that refers to the HOST macro is done after this rewrite is complete. -- Bazsi
Yep. It sounds like you need to resolve an IP to a hostname, and if you can do it at the first syslog-ng hop that will be the easiest. There are a lot of messages with regards to keep_hostname and $HOST macro confusion so i'm going to be long winded for others who read this, as it sounds like you already have a bead on whats going on. Bazsi feel free to correct me at any spot. Keep in mind that using the keep_hostname(yes) option makes it so that use_dns() will never be called. Heres standard syslog format: <time> <hostname> <daemon[PID]>: <message> Using keep_hostname(yes), syslog-ng will ignore any information about what host/syslog server passed it the message. It will only look at the <host> column of the message to determine what $HOST gets set to. So, lets say you've got: switch1 --> sys-relay --> sys-central Switch1 has IP address 10.1.1.123. With keep_hostname(yes) on sys-relay, the log gets written out by sys-relay like this: <time> 10.1.1.123 <cisco-counter-pid>: <message> So lets say you wanted sys-relay to resolve 10.1.1.123 to a hostname. You would do this if you had appropriate PTR records set up on your DNS server for reverse DNS to work: keep_hostname(no) use_dns(yes) Or if you don't have access to modify your dns resolver and wanted to put your entries in /etc/hosts instead, you would use these options: keep_hostname(no) use-dns(persist-only) dns-cache-hosts('/etc/hosts') Then, your logs on sys-relay would get written out like this (assuming 10.1.1.123 resolves to cisco-switch1): <time> cisco-switch1 <cisco-counter-pid>: <message> sys-relay would then send that log to sys-central just like that too. Then on sys-central, you would of course just use: keep_hostname(yes); and it would write out its own logs exactly the same as they appear on sys-relay: <time> cisco-switch1 <cisco-counter-pid>: <message> If you used keep_hostname(no) on sys-central, then sys-central would take a look at who it got the log from, ignore the <host> column of the log message, and write its logs out as: <time> sys-relay <cisco-counter-pid>: <message> Which I don't think you want. Spoof-source would be used in the case that you can't resolve 10.1.1.123 from sys-relay, or perhaps you don't want to do any dns resolution at all and want to save logs with the original IP in them at the very last hop for some reason. Using the 'spoof source' option, you're basically telling sys-relay to re-write the UDP packet source-ip to 10.1.1.123 on whatever messages it is forwarding. Keep in mind you have to be sending in UDP for spoof source to work, and you have to compile your syslog-ng with ./configure --enable-spoof-source Hope that helps On Thu, Nov 5, 2009 at 6:40 PM, Jason Barrett <knotam@knotam.com> wrote:
Balazs Scheidler wrote:
On Wed, 2009-11-04 at 09:03 -0600, Jason Barrett wrote:
Balazs Scheidler wrote:
On Fri, 2009-10-30 at 14:23 -0500, Jason Barrett wrote:
Hi all,
I'm relaying log messages from one syslog-ng server to another. At the final stop, the only way I can get the $HOST macro to work is if I enable dns resolution on server 1. Is this by design? Here are the relevant configs:
----------------------------------------------------------------------
syslog-ng server 1 (relays to server 2): chain_hostnames(yes); keep_hostname(yes); use_dns(no);
source s_udp { udp(port(514)); }; destination df_udpback { udp("192.168.1.157" port(514)); }; log { source(s_udp); destination(df_udpback); };
----------------------------------------------------------------------
syslog-ng server 2: chain_hostnames(yes); keep_hostname(yes); use_dns(yes);
source s_udp { udp(port(514)); }; destination df_udp { file("/var/log/ics/$HOST/$YEAR/$MONTH/$DAY"); }; log { source(s_udp); destination(df_udp); };
----------------------------------------------------------------------
Sample log message on server 2: Oct 30 09:35:03 10.12.24.46/10.12.24.46 %ASA-5-111005: 10.28.22.55 end configuration: OK
10.12.24.46 is the correct IP address of the originating host, and $HOST resolves to this IP address. I would prefer $HOST to resolve to the hostname as it exists in the /etc/hosts file.
$HOST always resolves to the "HOST" portion of the syslog message.
syslog-ng can resolve only from /etc/hosts if you use these global options:
options { use-dns(persist-only) dns-cache-hosts('/etc/hosts'); };
"$HOST always resolves to the "HOST" portion of the syslog message."
So if the syslog message's host field contains an IP Address, $HOST will always resolve to the IP address regardless of the use-dns setting?
that depends on the keep-hostname() setting. It works like this
* message comes in with something in its "HOST" field, the message may lack a hostname in which case syslog-ng _always_ adds one. * syslog-ng decides whether it should trust the hostname field (keep-hostname is set to yes it will trust it, if set to no it will not) * if keep-hostname() is set to no, then syslog-ng will rewrite the HOST field, possibly using DNS use-dns(yes)
Anything that refers to the HOST macro is done after this rewrite is complete.
Thanks for the reply.
Using keep-hostname(no), syslog-ng rewrites (or appends if chain-hostname(yes)) the hostname using the source IP of the packet. Unfortunately, I trust the original IP address, I just want to resolve it to a name. I think the only way to accomplish this is to use the spoof-source option or rewrite the hostname at the first syslog-ng hop. Is this accurate?
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Lance Laursen Demonware Systems Engineer 1-604-689-4594 x3702
participants (3)
-
Balazs Scheidler
-
Jason Barrett
-
Lance Laursen