[Bug 171] New: Unwanted IP adress Folder
https://bugzilla.balabit.com/show_bug.cgi?id=171 Summary: Unwanted IP adress Folder Product: syslog-ng Version: 3.1.x Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: julien.groselle@gmail.com Type of the Report: bug Estimated Hours: 0.0 Hi, I work for a lange society, and we use syslog-ng for 5 years now. We have a centralized server with storage tank to keep logs securly. Concretely, we have 2 centralized servers syslog-ng in chrooted environement, and 50 clients servers. Since we use TLS transport in place of stunnel workaround, we have many issues : - First of all, many logs aren't writen in $HOST folder but in IPADDRESS folder. So, to be clear, this is an exemple : # ls drwxr-x--- 8 root adm 4,0K 1 mars 00:07 10.0.0.1 drwxr-x--- 53 root adm 4,0K 19 mars 00:35 host1 I assume that host1 have 10.0.0.1 IP address and # tree 192.168.100.79/2012-03/ 10.0.0.1/2012-03/ ├── 02-user-10.0.0.1.log.bz2 ├── 06-user-10.0.0.1.log.bz2 ├── 07-user-10.0.0.1.log.bz2 ├── 08-user-10.0.0.1.log.bz2 ├── 09-user-10.0.0.1.log.bz2 ├── 12-user-10.0.0.1.log.bz2 ├── 13-user-10.0.0.1.log.bz2 ├── 14-user-10.0.0.1.log.bz2 ├── 15-user-10.0.0.1.log.bz2 ├── 16-user-10.0.0.1.log.bz2 └── 19-user-10.0.0.1.log # tree host1/2012-03/ |grep 19- ├── 19-apache.access-host1.log ├── 19-apache.error-host1.log ├── 19-authpriv-host1.log ├── 19-auth-host1.log ├── 19-cron-host1.log ├── 19-daemon-host1.log ├── 19-kern-host1.log ├── 19-mail-host1.log ├── 19-nagios-host1.log ├── 19-puppetd-host1.log ├── 19-syslog-host1.log └── 19-user-host1.log (we have this problem with many servers) In facility "user" for host 10.0.0.1 in fact i have log for snmptrapd... But why ?? We have config for snmpd but not for snmptrapd... So i have tried to define a default facility => failed After i have tried many dns and hostnames options => failed As anyone here have a way to search for me ? If you need more details, i'm your's. Kind regards. -- JG -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=171 --- Comment #1 from Balazs Scheidler <bazsi@balabit.hu> 2012-03-31 22:27:47 --- well, to diagnose hostname related issues, it's important to know that: 1) a syslog message contains a hostname, which may or may not be used. this hostname is _sent_ by the client 2) if the server is configured with keep-hostnames(yes), then the hostname sent by the client is used 3) if the server is configured with keep-hostnames(no), then the hostname sent by the client is _ignored_ and replaced by the result of the reverse-DNS lookup of the sending IP address. 4) if syslog-ng replaces a hostname (because keep-hostname() is set to no), it'd only use dns if use-dns(yes) is enabled (which is the default). I'd suggest to create a test environment, run syslog-ng in debug mode, and check the "Incoming message" line as it receives the message which is wrong. That line in the debug output should show you what hostname the client sends. (the word right after the timestamp). Then the configuration on the server should make it straightforward to diagnose the issue. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=171 --- Comment #2 from JG <julien.groselle@gmail.com> 2012-04-02 15:08:02 --- Hi, First, thank you to work on my case. So to be much more precise, 90% of time, client send hostname, and server tidy client's logs with hostname. But 10% of time, the server put client's log in the IP address folder. On client's config i have this option : options { long_hostnames(off); flush_lines(0); log_msg_size(8192); stats_freq(0); keep_hostname(yes); }; On server's config : options { long_hostnames(off); flush_lines(0); keep_hostname(yes); ts_format(iso); log_msg_size(8192); normalize_hostnames(yes); }; So if i understand your answer, my server take the hostname that the client send. And, if the server put logs in ip address folder, it's because it receive ip address of the client in $hostname$ variable... So my new question is why syslog-ng client don't send his hostname but it ip address ? To try to self solved my problem, i will try to put keep_hostname(no) on my server and let the reverse DNS set up $hostname$. PS : the debug mode... is really verbose :P I have tryed it, and Luckily i had resized my /var/log :) I'm still parsing informations. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=171 --- Comment #3 from JG <julien.groselle@gmail.com> 2012-04-02 15:59:48 --- So... I have tried to set keep_hostname to "no", and i don't have any hostname folder, just ip address folder ! My chrooted installation can't request DNS ? Why ? Do i need to add some librairies in the chrooted environnement ? Could you tell me which ones ? Thank you in advance. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=171 --- Comment #4 from Balazs Scheidler <bazsi@balabit.hu> 2012-04-02 21:53:45 --- you might need a copy of resolv.conf within the chroot also you may need the nss libraries. I can't help you more in that. one additional note: if the incoming message has no hostname, syslog-ng will try to set one as if keep-hostname was no. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=171 --- Comment #5 from JG <julien.groselle@gmail.com> 2012-04-03 11:45:05 --- I already have resolv.conf and many libs according to https://lists.balabit.hu/pipermail/syslog-ng/2005-January/006908.html in my chrooted environement i have this : # l etc/ -rw-r--r-- 1 root root 2,9K 3 avril 08:55 localtime -rw-r--r-- 1 root root 276 3 avril 08:55 nsswitch.conf -rw-r--r-- 1 root root 0 14 mars 17:13 passwd -rw-r--r-- 1 root root 70 14 mars 17:12 resolv.conf drwxr-xr-x 6 root root 4,0K 30 sept. 2011 syslog-ng # l lib/ -rw-r--r-- 1 root root 31K 3 avril 08:56 libnss_compat-2.11.3.so -rw-r--r-- 1 root root 31K 3 avril 08:56 libnss_compat.so.2 -rw-r--r-- 1 root root 23K 3 avril 08:56 libnss_dns-2.11.3.so -rw-r--r-- 1 root root 23K 3 avril 08:56 libnss_dns.so.2 -rw-r--r-- 1 root root 51K 3 avril 08:56 libnss_files-2.11.3.so -rw-r--r-- 1 root root 51K 3 avril 08:56 libnss_files.so.2 -rw-r--r-- 1 root root 19K 3 avril 08:56 libnss_hesiod-2.11.3.so -rw-r--r-- 1 root root 19K 3 avril 08:56 libnss_hesiod.so.2 -rw-r--r-- 1 root root 44K 3 avril 08:56 libnss_ldap.so.2 -rw-r--r-- 1 root root 43K 3 avril 08:56 libnss_nis-2.11.3.so -rw-r--r-- 1 root root 51K 3 avril 08:56 libnss_nisplus-2.11.3.so -rw-r--r-- 1 root root 51K 3 avril 08:56 libnss_nisplus.so.2 -rw-r--r-- 1 root root 43K 3 avril 08:56 libnss_nis.so.2 But if i take the problem back, does anyone have a syslog-ng installation with chrooted environnement and TLS on ? Because before we used TLS (we used stunnel and redirection on localhost) we had not this problem... Until I have configured Syslog-ng to use native TLS support, this ip address folder appear. Maybe we have something wrong in our config file... But we have a generic destination : destination hosts { file("/$HOST/$YEAR-$MONTH/$DAY-$FACILITY-$HOST.log" owner(0) group(4) perm(0640) dir_perm(0750) dir_owner(0) dir_group(4) create_dirs(yes)); }; And I don't understand why the server set $HOST with hostname of client for all the filter, and sometimes set $HOST with IP Address for generic filter (but not all the time)... It drive me crazy... Do we have a problem with the communication in between client and server ? PS : we had a 2.6 installation and we have moved to 3.1 with the same config file. We have just replace the deprecated object... Do you think the problem could come from this point ? Regards. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=171 --- Comment #6 from Balazs Scheidler <bazsi@balabit.hu> 2012-04-04 09:05:55 --- my time is very limited to diagnose whether this is a chroot problem or a bug in syslog-ng. stuff like strace could help. tls shouldn't change anything, except that your hostname settings were probably customized because of the stunnel implementation. you could also use the HOST_FROM macro, that always refers to the DNS resolved hostname, instead of the one in the header. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
bugzilla@bugzilla.balabit.com