[syslog-ng] $HOST macro doing weird stuff

Paul Krizak paul.krizak at amd.com
Thu Apr 6 17:35:08 CEST 2006 

Actually it's the precisely correct number of digits:

163181224153 -> 163.181.224.153.  I also get similar results from 
subnets that don't match up quite so nicely.  For example:

16318110115 -> 163.181.10.115, or 163.181.101.15

So I don't think it's a "packed IP -> hostname" problem; I think there 
might be something buggy in the DNS lookup code where somehow the source 
IP address gets b0rked into a decimal IP address without periods somehow.

I doubt that the hosts are sending out incorrect data, as I have never 
*ever* seen this behavior before switching to syslog-ng.

Paul Krizak                         5900 E. Ben White Blvd. MS 625
Advanced Micro Devices              Austin, TX  78741
Linux/Unix Systems Engineering      Phone: (512) 602-8775
Microprocessor Solutions Sector     Cell:  (512) 791-0686


Balazs Scheidler wrote:
> On Wed, 2006-04-05 at 11:35 -0500, Paul Krizak wrote:
>> I'm using the $HOST macro in a template, the relevant configuration bits 
>> being:
>>
>> template t_human_readable {
>>      template("$R_FULLDATE $HOST $FACILITY.$PRIORITY $MESSAGE\n");
>>      template-escape(no);
>> };
>>
>> source s_external_syslog {
>>      udp(port(514));
>> };
>>
>> destination d_big_messages {
>>      file (
>>          "/var/log/logs/messages.log"
>>          template(t_human_readable)
>>          owner(root)
>>          group(root)
>>          perm(0644)
>>      );
>> };
>>
>> log {
>>      source(s_external_syslog);
>>      destination(d_big_messages);
>> };
>>
>>
>> The weird thing is that occasionally the $HOST field shows up as the IP 
>> address, but without dots, i.e. 163181224153.  I haven't really 
>> discovered a pattern to it yet, but I'm wondering if maybe it's a bug in 
>> the DNS caching code.  I'm using pretty large values:
>>
>> dns_cache(yes);
>> dns_cache_size(10000);
>> dns_cache_expire(3600);
>> dns_cache_expire_failed(30);
>>
> 
> I'm about sure that it is not affected as in syslog-ng 2.0 these options
> are currently ignored as there's no dns cache (yet).
> 
> The hostname that you quote above cannot be an IP address as it contains
> too many digits. Isn't it possible that the host sometimes sends this
> hostname in the message itself? If keep_hostname() is enabled, then the
> one in the syslog message is used instead of the reverse-resolved one.
>

More information about the syslog-ng mailing list