[syslog-ng] Resolving Hostnames for Syslog Source IPs

Sawall, Christopher L CSawall at ameren.com
Wed Jun 1 20:57:01 CEST 2005


Only problem is I'm letting Syslog-NG create a new file for each host,
so Syslog-NG needs to be able to resolve the host before creating the
file.

This is a very odd problem.

Chris


-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Jarrod Manzer
Sent: Wednesday, June 01, 2005 11:34 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Resolving Hostnames for Syslog Source IPs


I had this same problem. I resolved it by logging by IP and then doing 
reverse DNS lookups with a script and creating symbolic links to those 
IP based directories. The end result was people who like to use IP or 
DNS were happy. Gotta make sure your reverse is set up properly though.

But I never did find out why syslog-ng couldn't resolve the same names 
that the host command on the same box could.

Sawall, Christopher L wrote:

>I used to only log by IP and was fine with it.  But with a recent 
>acquistion and to make things easier, I turned on the use of DNS by 
>Syslog-NG.  However, it doesn't appear to resolve every source host.
>
>For example, I am sending syslogs from about 50 sets of Cisco PIX 
>firewalls, 5 VPN Concentrators and 2 Cisco Cache Engines.  Only about 
>80% of the PIX firewalls are being resolved when they show up in the 
>syslog file, 2 of the concentrators and none of the cache engines.  I 
>have verified that all of the firewalls are in DNS and PINGable from 
>the syslog server itself.
>
>I'm not sure what else to check.  I saw an old post from September 
>2003, but I don't think it's the same issue.  This appears to be a 
>consistent problem, some hosts are always resolved and some are not.
>
>Below are the options that are set in my syslog-ng.conf file.
>
>options { sync (1);
>          time_reopen (10);
>          log_fifo_size (2048);
>          long_hostnames (off);
>          dns_cache(yes);
>          use_dns (yes);
>          use_fqdn (no);
>          create_dirs (no);
>          keep_hostname (yes);
>        };
>
>source src { unix-stream("/dev/log"); internal(); udp(ip(0.0.0.0) port 
>(514)); };
>
>Let me know if any other info would be benenficial.
>
>Thanks,
>Chris Sawall, GSEC, GSNA
>Ameren
>Information Security
>
> 
>
>
>*******************************
>The information contained in this message may be privileged and/or 
>confidential and
>protected from disclosure. If the reader of this message is not the
intended recipient, 
>or an employee or agent responsible for delivering this message to the
intended recipient, 
>you are hereby notified that any dissemination, distribution or copying
of this 
>communication is strictly prohibited. Note that any views or opinions
presented in this 
>message are solely those of the author and do not necessarily represent
those of Ameren. 
>All emails are subject to monitoring and archival. Finally, the
recipient should check 
>this message and any attachments for the presence of viruses. Ameren
accepts no liability 
>for any damage caused by any virus transmitted by this email. If you
have received this in 
>error, please notify the sender immediately by replying to the message
and deleting the 
>material from any computer. Ameren Corporation 
>*******************************
>
>
>
>_______________________________________________
>syslog-ng maillist  -  syslog-ng at lists.balabit.hu 
>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>  
>


-- 
.Jarrod  Manzer.
.Network   Team.
.Go Daddy Group.
.(480) 366 3631.
.AIM:  nejarrod.

_______________________________________________
syslog-ng maillist  -  syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html



*******************************
The information contained in this message may be privileged and/or confidential and 
protected from disclosure. If the reader of this message is not the intended recipient, 
or an employee or agent responsible for delivering this message to the intended recipient, 
you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. Note that any views or opinions presented in this 
message are solely those of the author and do not necessarily represent those of Ameren. 
All emails are subject to monitoring and archival. Finally, the recipient should check 
this message and any attachments for the presence of viruses. Ameren accepts no liability 
for any damage caused by any virus transmitted by this email. If you have received this in 
error, please notify the sender immediately by replying to the message and deleting the 
material from any computer. Ameren Corporation 
*******************************





More information about the syslog-ng mailing list