[syslog-ng] $HOST macro doing weird stuff

Thu Apr 6 18:43:53 CEST 2006

Interesting - we're using a central syslog-ng host (stunnel, mysql, etc).
The central host always knew its own hostname, but the remote clients 
were showing up as 127.0.0.1 for a while - tho dots were always present.

I now have
keep_hostname(yes);
use_dns(no);

on both the central and each client machine's config, and this has thus 
far always provided the correct hostname (since this causes $HOST to 
expand to whatever the client machine calls itself).

note that when keep_hostname wasn't explicitly yes on each client, as 
well as the server, i got some odd results.  I don't recall the details 
of that, sorry >.<

Since caching isn't imped, perhaps try disabling use_dns completely and 
see if your answers change?

HTH,

Rob

Paul Krizak wrote:

> Actually it's the precisely correct number of digits:
>
> 163181224153 -> 163.181.224.153.  I also get similar results from 
> subnets that don't match up quite so nicely.  For example:
>
> 16318110115 -> 163.181.10.115, or 163.181.101.15
>
> So I don't think it's a "packed IP -> hostname" problem; I think there 
> might be something buggy in the DNS lookup code where somehow the 
> source IP address gets b0rked into a decimal IP address without 
> periods somehow.
>
> I doubt that the hosts are sending out incorrect data, as I have never 
> *ever* seen this behavior before switching to syslog-ng.
>
> Paul Krizak                         5900 E. Ben White Blvd. MS 625
> Advanced Micro Devices              Austin, TX  78741
> Linux/Unix Systems Engineering      Phone: (512) 602-8775
> Microprocessor Solutions Sector     Cell:  (512) 791-0686
>
>
> Balazs Scheidler wrote:
>
>> On Wed, 2006-04-05 at 11:35 -0500, Paul Krizak wrote:
>>
>>> I'm using the $HOST macro in a template, the relevant configuration 
>>> bits being:
>>>
>>> template t_human_readable {
>>>      template("$R_FULLDATE $HOST $FACILITY.$PRIORITY $MESSAGE\n");
>>>      template-escape(no);
>>> };
>>>
>>> source s_external_syslog {
>>>      udp(port(514));
>>> };
>>>
>>> destination d_big_messages {
>>>      file (
>>>          "/var/log/logs/messages.log"
>>>          template(t_human_readable)
>>>          owner(root)
>>>          group(root)
>>>          perm(0644)
>>>      );
>>> };
>>>
>>> log {
>>>      source(s_external_syslog);
>>>      destination(d_big_messages);
>>> };
>>>
>>>
>>> The weird thing is that occasionally the $HOST field shows up as the 
>>> IP address, but without dots, i.e. 163181224153.  I haven't really 
>>> discovered a pattern to it yet, but I'm wondering if maybe it's a 
>>> bug in the DNS caching code.  I'm using pretty large values:
>>>
>>> dns_cache(yes);
>>> dns_cache_size(10000);
>>> dns_cache_expire(3600);
>>> dns_cache_expire_failed(30);
>>>
>>
>> I'm about sure that it is not affected as in syslog-ng 2.0 these options
>> are currently ignored as there's no dns cache (yet).
>>
>> The hostname that you quote above cannot be an IP address as it contains
>> too many digits. Isn't it possible that the host sometimes sends this
>> hostname in the message itself? If keep_hostname() is enabled, then the
>> one in the syslog message is used instead of the reverse-resolved one.
>>
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>

-- 
Rob Munsch
Solutions For Progress IT