[syslog-ng]DNS Problem?

Glasser, Rob syslog-ng@lists.balabit.hu
Tue, 10 Jun 2003 15:40:33 -0700


This is a multi-part message in MIME format.

------_=_NextPart_001_01C32FA1.4DEAD2EA
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

I'm having some name lookup weirdness and not sure of the cause. Thought
I'd post the scenario to the group before I start tweaking my
configuration to see if it can be fixed.

First off, I'm running syslog-ng 1.6.0rc3, and on the systems I'm having
problems, they are Sun Netra systems, dual procs, 2GB of memory, running
Solaris 8.  My options look like this:

log_fifo_size(2048);=20
time_reopen(10);=20
use_fqdn(yes);
keep_hostname(no);
use_dns(yes);
dns_cache(yes);
long_hostnames(off);

I have 2 servers with this configuration acting as centralized loghosts
for a datacenter.  They are identical boxes, running identical syslog-ng
configurations, on the same VLAN as the DNS servers they point to.=20

Both of these boxes will periodically fail to lookup a name? and log an
entry under it's IP address instead of it's fully qualified host name.
There appears to be no pattern what so ever to it, and the log entries
that get logged by IP are different on each syslog-ng server.  The load
on these systems is pretty minimal.   The number of messages logged by
IP address is averaging about 10 a day out of about 13000 messages being
logged.

To make things even more interesting, I have a similar setup in another
datacenter, but they are older smaller systems, only Ultra 1's, single
proc, with only 128 MB of memory, running Solaris 2.6, acting as
centralized servers for about 3 times the number of servers.  The
syslog-ng version and configuration is identical.  On these systems I
can not find any entries logged by IP address, everything appears to be
working fine.

Any ideas what might be causing this?  My gut reaction is to blame it on
the DNS boxes since the problem is only happening in one data center and
not another, but wanted to see if anyone else has already been down this
road first.

Thanks

Rob Glasser
AT&T Wireless
UNIX Systems Administrator=20




------_=_NextPart_001_01C32FA1.4DEAD2EA
Content-Type: text/html;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.0.6389.0">
<TITLE>DNS Problem?</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">I'm having some name lookup weirdness =
and not sure of the cause. Thought I'd post the scenario to the group =
before I start tweaking my configuration to see if it can be =
fixed.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">First off, I'm running syslog-ng =
1.6.0rc3, and on the systems I'm having problems, they are Sun Netra =
systems, dual procs, 2GB of memory, running Solaris 8.&nbsp; My options =
look like this:</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">log_fifo_size(2048); </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">time_reopen(10); </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">use_fqdn(yes);</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">keep_hostname(no);</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">use_dns(yes);</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">dns_cache(yes);</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">long_hostnames(off);</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">I have 2 servers with this =
configuration acting as centralized loghosts for a datacenter.&nbsp; =
They are identical boxes, running identical syslog-ng configurations, on =
the same VLAN as the DNS servers they point to. </FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Both of these boxes will periodically =
fail to lookup a name? and log an entry under it's IP address instead of =
it's fully qualified host name. There appears to be no pattern what so =
ever to it, and the log entries that get logged by IP are different on =
each syslog-ng server.&nbsp; The load on these systems is pretty =
minimal.&nbsp;&nbsp; The number of messages logged by IP address is =
averaging about 10 a day out of about 13000 messages being =
logged.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">To make things even more interesting, I =
have a similar setup in another datacenter, but they are older smaller =
systems, only Ultra 1's, single proc, with only 128 MB of memory, =
running Solaris 2.6, acting as centralized servers for about 3 times the =
number of servers.&nbsp; The syslog-ng version and configuration is =
identical.&nbsp; On these systems I can not find any entries logged by =
IP address, everything appears to be working fine.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Any ideas what might be causing =
this?&nbsp; My gut reaction is to blame it on the DNS boxes since the =
problem is only happening in one data center and not another, but wanted =
to see if anyone else has already been down this road first.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Thanks</FONT>
</P>

<P><FONT COLOR=3D"#000000" SIZE=3D4 FACE=3D"Comic Sans MS">Rob =
Glasser</FONT><BR>
<FONT COLOR=3D"#000000" SIZE=3D1 FACE=3D"Comic Sans MS">AT&amp;T =
Wireless<BR>
UNIX Systems Administrator</FONT><FONT COLOR=3D"#000000" SIZE=3D1 =
FACE=3D"Times New Roman"><BR>
</FONT>
</P>
<BR>

</BODY>
</HTML>
------_=_NextPart_001_01C32FA1.4DEAD2EA--