[syslog-ng]syslog-ng and DNS

Brad Arlt arlt@cpsc.ucalgary.ca
Fri, 26 Apr 2002 08:33:19 -0600


On Fri, Apr 26, 2002 at 03:36:13PM +0200, Jerome Peducasse wrote:
> Yes, of course but I like none of these propositions.

> I would like loghost stays independent of network updates (update of
> IP, subnet...).

> Is it not possible when a destination is unreachable (or unreadable,
> or ...) that syslog-ng logs an error in syslog.crit (if possible
> ;-)), continues its job and retries to open failed destination at
> next message.

> Thanks for your help and your indulgence.

Hmm... well you could use DHCP to propagate values such a what IP
addess is the loghost.  The machines logging need not actually use
DHCP for there networking, just run an agent to get the info.  Then
you the IP address in your configuration.

This could be combined with a DNS lookup, thus giving you two
information sources should one become unavailable.  As a backup, should
none of these source yeild you anything having the last known loghost IP
address stored locally on the machine might be a good idea.  Even if the
address is wrong, its not much worse than not logging.  But if the address
is correct, we are off to the races.

You could combine this with a cron job that repeatedly tries to
resolve/DHCP Query for the loghost IP.  When found, remove the cron
job, and restart syslog-ng with the IP found (also update the locally
stored IP).

While the above method will work, I give a caution.  DNS gets screwed
(typos have screwed me over more than I like admit), and DNS/DHCP can
be easily spoofed.  Your hosts file is not as easily messed with.  This
is why I like hard coding loghost IP addresses.
----------------------------------------------------------------------------
   __o		Bradley Arlt				Security Team Lead
 _ \<_		arlt@cpsc.ucalgary.ca			University Of Calgary
(_)/(_) 	http://pages.cpsc.ucalgary.ca/~arlt/	Computer Science