syslog-ng 1.6.8 and dns cache issue
I have currently installed Syslog-ng ver 1.6.8. Here is a snippet of my syslog-ng config file.So accordingly when a syslog message comes in, depending on the ip address, it does a lookup in /etc/hosts, creates an appropriate host name folder and forwards the message there. If the hostname does not exists, it creates a folder named with the ip address. Here is my question: 1) How often does syslog-ng refreshes its dns /hosts cache? Because I have run into issues that even after the /etc/hosts file is updated syslog still keeps logging to the folder created with the ip address. If I restart syslog-ng service it immediately starts forwarding the messages correctly to hostname folder. 2) How can I reduce the dns cache timeout, so it checks /etc/hosts more frequently for any changes? Thanks in advance. Ketan destination hostslocal { file("/var/log/HOSTS/$HOST/$YEAR-$MONTH-$DAY.log" owner(root) group(xxx) perm(0740) dir_perm(0740) create_dirs(yes) template("$R_DATE $FULLHOST $MONTH $S_DAY $S_YEAR $S_HOUR:$S_MIN:$S_SEC: $MESSAGE\n") template-escape(no)); }; log { source(src); destination(hostslocal); };
On Fri, 30 Sep 2005 15:33:27 EDT, Ketan Vankawala said:
I have currently installed Syslog-ng ver 1.6.8. Here is a snippet of my syslog-ng config file.So accordingly when a syslog message comes in, depending on the ip address, it does a lookup in /etc/hosts, creates an appropriate host name folder and forwards the message there. If the hostname does not exists, it creates a folder named with the ip address.
Updating /etc/hosts *should* provide fast response. I'm wondering if your /etc/nsswitch.conf specifies 'hosts: NIS files dns', and the NIS query functions are being too clever about caching..
I appreciate your response. Here is a snippet from /etc/nsswitch.conf. As I said in my previous email, as soon as I make the change in /etc/hosts file and after that when I do a tcpdump it shows me the /etc/hosts change has taken place. I see the ips getting translated into the new corrected hostname but for some reason syslog-ng keeps logging under the old hostname. Sometimes I have to wait for almost an hour until it recognizes the hostname change. If I restart the syslog-ng daemon, it immediately recognizes the hostname change but restarting the service is not always a practical solution. Any help will be highly appreciated. Ketan passwd: files shadow: files group: files #hosts: db files nisplus nis dns *hosts: files dns* # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus Valdis.Kletnieks@vt.edu wrote:
On Fri, 30 Sep 2005 15:33:27 EDT, Ketan Vankawala said:
I have currently installed Syslog-ng ver 1.6.8. Here is a snippet of my syslog-ng config file.So accordingly when a syslog message comes in, depending on the ip address, it does a lookup in /etc/hosts, creates an appropriate host name folder and forwards the message there. If the hostname does not exists, it creates a folder named with the ip address.
Updating /etc/hosts *should* provide fast response. I'm wondering if your /etc/nsswitch.conf specifies 'hosts: NIS files dns', and the NIS query functions are being too clever about caching..
participants (2)
-
Ketan Vankawala
-
Valdis.Kletnieks@vt.edu