[syslog-ng] $HOST macro doing weird stuff
Balazs Scheidler
bazsi at balabit.hu
Thu Apr 6 12:23:52 CEST 2006
On Wed, 2006-04-05 at 11:35 -0500, Paul Krizak wrote:
> I'm using the $HOST macro in a template, the relevant configuration bits
> being:
>
> template t_human_readable {
> template("$R_FULLDATE $HOST $FACILITY.$PRIORITY $MESSAGE\n");
> template-escape(no);
> };
>
> source s_external_syslog {
> udp(port(514));
> };
>
> destination d_big_messages {
> file (
> "/var/log/logs/messages.log"
> template(t_human_readable)
> owner(root)
> group(root)
> perm(0644)
> );
> };
>
> log {
> source(s_external_syslog);
> destination(d_big_messages);
> };
>
>
> The weird thing is that occasionally the $HOST field shows up as the IP
> address, but without dots, i.e. 163181224153. I haven't really
> discovered a pattern to it yet, but I'm wondering if maybe it's a bug in
> the DNS caching code. I'm using pretty large values:
>
> dns_cache(yes);
> dns_cache_size(10000);
> dns_cache_expire(3600);
> dns_cache_expire_failed(30);
>
I'm about sure that it is not affected as in syslog-ng 2.0 these options
are currently ignored as there's no dns cache (yet).
The hostname that you quote above cannot be an IP address as it contains
too many digits. Isn't it possible that the host sometimes sends this
hostname in the message itself? If keep_hostname() is enabled, then the
one in the syslog message is used instead of the reverse-resolved one.
--
Bazsi
More information about the syslog-ng
mailing list