I have a logserver with a mysql back-end and php-syslog-ng front-end. I was doing some work on DNS (migration to another machine, another version) yesterday and it was down for a little while. I noticed today that in the logserver interface I have loads of ip addresses instead of hostnames. So I had to go through and change the fields for all those hosts manually, which was quite annoying. In order to stop this from happening again I was wondering what steps I could take. My logserver conf options section is as follows: options { chain_hostnames(off); sync(10); stats(43200); keep_hostname(no); use_dns(yes); dns_cache(yes); create_dirs(yes); log_fifo_size(5000); }; If I change keep_hostname() to yes will I still get validation via dns or not? I think not judging from the docs. I was wondering if perhaps it would use dns and if unavailable it would use the name from the logs. Wishful thinking? On a DNS front, I was wondering if I could just copy a hosts file with all the dns names in it to the /etc/hosts of the linux system running the logserver. Would this work? Would syslog-ng obey the nsswitch of the linux system and use the hosts file first? Or does it have to do a dns request when use_dns(yes) is the options{}; ? This way, I'll never have this problem again if I need to fiddle the DNS server. I already have a hosts file generated when I update my dns server records so this is ready to go if it will work... All feedback welcome. -h -- Hari Sekhon
Hari, This may help: ######################################################################## ################### # My config below ######################################################################## ################### options { long_hostnames(off); # doesn't actually help on Solaris, log(3) truncates at 1024 chars log_msg_size(8192); # buffer just a little for performance sync(1); # memory is cheap, buffer messages unable to write (like to loghost) log_fifo_size(16384); # Hosts we don't want syslog from #bad_hostname("^(ctld.|cmd|tmd|last)$"); # The time to wait before a dead connection is reestablished (seconds) time_reopen(10); #Use DNS so that our good names are used, not hostnames use_dns(yes); dns_cache(yes); #Use the whole DNS name use_fqdn(no); keep_hostname(no); chain_hostnames(yes); #Read permission for everyone perm(0644); # The default action of syslog-ng 1.6.0 is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # how many messages syslog-ng missed (0). stats(43200); }; -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Hari Sekhon Sent: Thursday, September 28, 2006 10:20 AM To: Syslog-ng users' and developers' mailing list Subject: [syslog-ng] DNS and hosts I have a logserver with a mysql back-end and php-syslog-ng front-end. I was doing some work on DNS (migration to another machine, another version) yesterday and it was down for a little while. I noticed today that in the logserver interface I have loads of ip addresses instead of hostnames. So I had to go through and change the fields for all those hosts manually, which was quite annoying. In order to stop this from happening again I was wondering what steps I could take. My logserver conf options section is as follows: options { chain_hostnames(off); sync(10); stats(43200); keep_hostname(no); use_dns(yes); dns_cache(yes); create_dirs(yes); log_fifo_size(5000); }; If I change keep_hostname() to yes will I still get validation via dns or not? I think not judging from the docs. I was wondering if perhaps it would use dns and if unavailable it would use the name from the logs. Wishful thinking? On a DNS front, I was wondering if I could just copy a hosts file with all the dns names in it to the /etc/hosts of the linux system running the logserver. Would this work? Would syslog-ng obey the nsswitch of the linux system and use the hosts file first? Or does it have to do a dns request when use_dns(yes) is the options{}; ? This way, I'll never have this problem again if I need to fiddle the DNS server. I already have a hosts file generated when I update my dns server records so this is ready to go if it will work... All feedback welcome. -h -- Hari Sekhon _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
that config is almost the same as mine, which means it's also reliant on DNS. This is good in that is validates names instead of using names from the logs, but bad in that it can stall or put entries with ip addresses if it can't find the reverse dns record for the ip of the sending machine. The 2 main questions still remain: Does syslog-ng use nsswitch for dns processing, will a hosts file stop it from doing dns queries or does syslog-ng bypass this and do dns queries anyway? Is there a way to tell it to use the name from dns or if unavailable then keep the hostname from the log entry? Hari Sekhon Dukes Clayton wrote:
Hari, This may help:
######################################################################## ################### # My config below ######################################################################## ################### options { long_hostnames(off);
# doesn't actually help on Solaris, log(3) truncates at 1024 chars log_msg_size(8192);
# buffer just a little for performance sync(1);
# memory is cheap, buffer messages unable to write (like to loghost) log_fifo_size(16384);
# Hosts we don't want syslog from #bad_hostname("^(ctld.|cmd|tmd|last)$");
# The time to wait before a dead connection is reestablished (seconds) time_reopen(10);
#Use DNS so that our good names are used, not hostnames use_dns(yes); dns_cache(yes);
#Use the whole DNS name use_fqdn(no);
keep_hostname(no); chain_hostnames(yes);
#Read permission for everyone perm(0644);
# The default action of syslog-ng 1.6.0 is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # how many messages syslog-ng missed (0). stats(43200); };
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Hari Sekhon Sent: Thursday, September 28, 2006 10:20 AM To: Syslog-ng users' and developers' mailing list Subject: [syslog-ng] DNS and hosts
I have a logserver with a mysql back-end and php-syslog-ng front-end.
I was doing some work on DNS (migration to another machine, another version) yesterday and it was down for a little while. I noticed today that in the logserver interface I have loads of ip addresses instead of hostnames.
So I had to go through and change the fields for all those hosts manually, which was quite annoying. In order to stop this from happening again I was wondering what steps I could take.
My logserver conf options section is as follows:
options { chain_hostnames(off); sync(10); stats(43200); keep_hostname(no); use_dns(yes); dns_cache(yes); create_dirs(yes); log_fifo_size(5000); };
If I change keep_hostname() to yes will I still get validation via dns or not? I think not judging from the docs. I was wondering if perhaps it would use dns and if unavailable it would use the name from the logs. Wishful thinking?
On a DNS front, I was wondering if I could just copy a hosts file with all the dns names in it to the /etc/hosts of the linux system running the logserver. Would this work? Would syslog-ng obey the nsswitch of the linux system and use the hosts file first? Or does it have to do a dns request when use_dns(yes) is the options{}; ?
This way, I'll never have this problem again if I need to fiddle the DNS server. I already have a hosts file generated when I update my dns server records so this is ready to go if it will work...
All feedback welcome.
-h
-- Hari Sekhon
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
First, we have two DNS servers, so one can be down without any change in service. Second, I just run the name service caching deamon (nscd) and configure it for whatever cache name timeout that I want. This does not help with syslog messages that come from a host that does not have an entry in the name cache such as a new host, but it works for me. Evan. Hari Sekhon wrote:
I have a logserver with a mysql back-end and php-syslog-ng front-end.
I was doing some work on DNS (migration to another machine, another version) yesterday and it was down for a little while. I noticed today that in the logserver interface I have loads of ip addresses instead of hostnames.
So I had to go through and change the fields for all those hosts manually, which was quite annoying. In order to stop this from happening again I was wondering what steps I could take.
My logserver conf options section is as follows:
options { chain_hostnames(off); sync(10); stats(43200); keep_hostname(no); use_dns(yes); dns_cache(yes); create_dirs(yes); log_fifo_size(5000); };
If I change keep_hostname() to yes will I still get validation via dns or not? I think not judging from the docs. I was wondering if perhaps it would use dns and if unavailable it would use the name from the logs. Wishful thinking?
On a DNS front, I was wondering if I could just copy a hosts file with all the dns names in it to the /etc/hosts of the linux system running the logserver. Would this work? Would syslog-ng obey the nsswitch of the linux system and use the hosts file first? Or does it have to do a dns request when use_dns(yes) is the options{}; ?
This way, I'll never have this problem again if I need to fiddle the DNS server. I already have a hosts file generated when I update my dns server records so this is ready to go if it will work...
All feedback welcome.
-h
-- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria
thanks, I'll look into that... it seems to be a standard thing that I have never used or noticed before.... -h Hari Sekhon Evan Rempel wrote:
First, we have two DNS servers, so one can be down without any change in service.
Second, I just run the name service caching deamon (nscd) and configure it for whatever cache name timeout that I want. This does not help with syslog messages that come from a host that does not have an entry in the name cache such as a new host, but it works for me.
Evan.
Hari Sekhon wrote:
I have a logserver with a mysql back-end and php-syslog-ng front-end.
I was doing some work on DNS (migration to another machine, another version) yesterday and it was down for a little while. I noticed today that in the logserver interface I have loads of ip addresses instead of hostnames.
So I had to go through and change the fields for all those hosts manually, which was quite annoying. In order to stop this from happening again I was wondering what steps I could take.
My logserver conf options section is as follows:
options { chain_hostnames(off); sync(10); stats(43200); keep_hostname(no); use_dns(yes); dns_cache(yes); create_dirs(yes); log_fifo_size(5000); };
If I change keep_hostname() to yes will I still get validation via dns or not? I think not judging from the docs. I was wondering if perhaps it would use dns and if unavailable it would use the name from the logs. Wishful thinking?
On a DNS front, I was wondering if I could just copy a hosts file with all the dns names in it to the /etc/hosts of the linux system running the logserver. Would this work? Would syslog-ng obey the nsswitch of the linux system and use the hosts file first? Or does it have to do a dns request when use_dns(yes) is the options{}; ?
This way, I'll never have this problem again if I need to fiddle the DNS server. I already have a hosts file generated when I update my dns server records so this is ready to go if it will work...
All feedback welcome.
-h
participants (3)
-
Dukes Clayton
-
Evan Rempel
-
Hari Sekhon