[syslog-ng] Resolving Hostnames for Syslog Source IPs

Wed Jun 1 22:52:47 CEST 2005

On Wed, 01 Jun 2005 09:33:58 PDT, Jarrod Manzer said:
> I had this same problem. I resolved it by logging by IP and then doing 
> reverse DNS lookups with a script and creating symbolic links to those 
> IP based directories. The end result was people who like to use IP or 
> DNS were happy. Gotta make sure your reverse is set up properly though.
> 
> But I never did find out why syslog-ng couldn't resolve the same names 
> that the host command on the same box could.

The most common cause for things like this is semi-borked DNS that *appears*
to work, but in fact is subtly misconfigured.

A few things to check:

1) Take the IP address, and look up the PTR, which should give you a hostname
(this is where most 'host' commands stop). Then actually check that hostname
in the DNS, and make sure the IP is listed in an A record (some resolvers do
this additional sanity checking).

2) You may have a "lame delegation". Look at the SOA and NS entries for your
DNS zones, both PTR and A, and double-check that all machines listed in NS are
in fact serving up correct data for the zones (a quick double-check is if all
the DNS servers show the correct zone serial number in the SOA). It often happens
that if there are multiple NS records, a daemon will "lock in" on asking one NS
first, and if it returns an authoritative NXDOMAIN because it's a lame delegation,
the daemon won't ask other NS.  However, when you use the 'host' command, it may
check some *other* NS entry first and magically appear to work.

3) Double-check /etc/resolv.conf to make sure it points 'nameserver' entries
at DNS servers that pass the sanity checks in (1) and (2)....

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050601/10f65ff6/attachment-0001.pgp