[syslog-ng]DNS Problem?

Glasser, Rob syslog-ng@lists.balabit.hu
Tue, 10 Jun 2003 15:49:58 -0700


These are internal systems located in the same datacenter although not
necessarily on the same network.  reverse lookups work, in fact for any
system that has a problem, it's usually only one message out of hundreds
for the day that has the problem, all other messages from those systems
resolve fine.

Rob Glasser
desk (425)288-2562; cell (206)915-4327=20
rob.glasser@attws.com / 2069154327@mobile.att.net=20


-----Original Message-----
From: Nicholas Bernstein [mailto:nick@docmagic.com]=20
Sent: Tuesday, June 10, 2003 3:47 PM
To: syslog-ng@lists.balabit.hu
Subject: Re: [syslog-ng]DNS Problem?


First off, what hosts are they failing to resolve? If they are hosts
from somewhere out on the internet, they might not have an in-addr.arpa
address associated with the ip, and may not be reverse lookup-able. Have
you tried to verify that the systems can look up the ip? E.G.=20
'host a.b.c.d '?


On Tue, 2003-06-10 at 15:40, Glasser, Rob wrote:
> I'm having some name lookup weirdness and not sure of the cause.
> Thought I'd post the scenario to the group before I start tweaking my
> configuration to see if it can be fixed.
>=20
> First off, I'm running syslog-ng 1.6.0rc3, and on the systems I'm
> having problems, they are Sun Netra systems, dual procs, 2GB of
> memory, running Solaris 8.  My options look like this:
>=20
> log_fifo_size(2048);=20
> time_reopen(10);=20
> use_fqdn(yes);
> keep_hostname(no);
> use_dns(yes);
> dns_cache(yes);
> long_hostnames(off);
>=20
> I have 2 servers with this configuration acting as centralized
> loghosts for a datacenter.  They are identical boxes, running
> identical syslog-ng configurations, on the same VLAN as the DNS
> servers they point to.=20
>=20
> Both of these boxes will periodically fail to lookup a name? and log
> an entry under it's IP address instead of it's fully qualified host
> name. There appears to be no pattern what so ever to it, and the log
> entries that get logged by IP are different on each syslog-ng server.=20
> The load on these systems is pretty minimal.   The number of messages
> logged by IP address is averaging about 10 a day out of about 13000
> messages being logged.
>=20
> To make things even more interesting, I have a similar setup in
> another datacenter, but they are older smaller systems, only Ultra
> 1's, single proc, with only 128 MB of memory, running Solaris 2.6,
> acting as centralized servers for about 3 times the number of
> servers.  The syslog-ng version and configuration is identical.  On
> these systems I can not find any entries logged by IP address,
> everything appears to be working fine.
>=20
> Any ideas what might be causing this?  My gut reaction is to blame it
> on the DNS boxes since the problem is only happening in one data
> center and not another, but wanted to see if anyone else has already
> been down this road first.
>=20
> Thanks
>=20
> Rob Glasser
> AT&T Wireless
> UNIX Systems Administrator
>=20
--=20
+---------------------------------------------------------------+
| Nicholas Bernstein            | nick@docmagic.com             |
| UNIX Systems Administrator    | http://www.docmagic.com       |
| Document Systems Inc.         |  				|
| gpg: F706 8C4E 78FA DDDD 53A0 019F D983 FE28 2002 D1F3	|
+---------------------------------------------------------------+

_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html