[syslog-ng] Resolving Hostnames for Syslog Source IPs

Sawall, Christopher L CSawall at ameren.com
Mon Jun 6 16:49:11 CEST 2005


Thanks for the suggestions.  It seems that about 10 out of 50 of the
devices did not have the proper PTR records.  Adding this has resolved
my problem.

Thanks,
chris


-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: Wednesday, June 01, 2005 3:53 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Resolving Hostnames for Syslog Source IPs 


On Wed, 01 Jun 2005 09:33:58 PDT, Jarrod Manzer said:
> I had this same problem. I resolved it by logging by IP and then doing
> reverse DNS lookups with a script and creating symbolic links to those

> IP based directories. The end result was people who like to use IP or 
> DNS were happy. Gotta make sure your reverse is set up properly
though.
> 
> But I never did find out why syslog-ng couldn't resolve the same names
> that the host command on the same box could.

The most common cause for things like this is semi-borked DNS that
*appears* to work, but in fact is subtly misconfigured.

A few things to check:

1) Take the IP address, and look up the PTR, which should give you a
hostname (this is where most 'host' commands stop). Then actually check
that hostname in the DNS, and make sure the IP is listed in an A record
(some resolvers do this additional sanity checking).

2) You may have a "lame delegation". Look at the SOA and NS entries for
your DNS zones, both PTR and A, and double-check that all machines
listed in NS are in fact serving up correct data for the zones (a quick
double-check is if all the DNS servers show the correct zone serial
number in the SOA). It often happens that if there are multiple NS
records, a daemon will "lock in" on asking one NS first, and if it
returns an authoritative NXDOMAIN because it's a lame delegation, the
daemon won't ask other NS.  However, when you use the 'host' command, it
may check some *other* NS entry first and magically appear to work.

3) Double-check /etc/resolv.conf to make sure it points 'nameserver'
entries at DNS servers that pass the sanity checks in (1) and (2)....


*******************************
The information contained in this message may be privileged and/or confidential and 
protected from disclosure. If the reader of this message is not the intended recipient, 
or an employee or agent responsible for delivering this message to the intended recipient, 
you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. Note that any views or opinions presented in this 
message are solely those of the author and do not necessarily represent those of Ameren. 
All emails are subject to monitoring and archival. Finally, the recipient should check 
this message and any attachments for the presence of viruses. Ameren accepts no liability 
for any damage caused by any virus transmitted by this email. If you have received this in 
error, please notify the sender immediately by replying to the message and deleting the 
material from any computer. Ameren Corporation 
*******************************





More information about the syslog-ng mailing list