[syslog-ng] $HOST macro doing weird stuff
Paul Krizak
paul.krizak at amd.com
Thu Apr 6 19:01:40 CEST 2006
Sounds like a good idea. I'll try that and see what happens.
Paul Krizak 5900 E. Ben White Blvd. MS 625
Advanced Micro Devices Austin, TX 78741
Linux/Unix Systems Engineering Phone: (512) 602-8775
Microprocessor Solutions Sector Cell: (512) 791-0686
Rob Munsch wrote:
> Interesting - we're using a central syslog-ng host (stunnel, mysql, etc).
> The central host always knew its own hostname, but the remote clients
> were showing up as 127.0.0.1 for a while - tho dots were always present.
>
> I now have
> keep_hostname(yes);
> use_dns(no);
>
> on both the central and each client machine's config, and this has thus
> far always provided the correct hostname (since this causes $HOST to
> expand to whatever the client machine calls itself).
>
> note that when keep_hostname wasn't explicitly yes on each client, as
> well as the server, i got some odd results. I don't recall the details
> of that, sorry >.<
>
> Since caching isn't imped, perhaps try disabling use_dns completely and
> see if your answers change?
>
> HTH,
>
> Rob
>
> Paul Krizak wrote:
>
>> Actually it's the precisely correct number of digits:
>>
>> 163181224153 -> 163.181.224.153. I also get similar results from
>> subnets that don't match up quite so nicely. For example:
>>
>> 16318110115 -> 163.181.10.115, or 163.181.101.15
>>
>> So I don't think it's a "packed IP -> hostname" problem; I think there
>> might be something buggy in the DNS lookup code where somehow the
>> source IP address gets b0rked into a decimal IP address without
>> periods somehow.
>>
>> I doubt that the hosts are sending out incorrect data, as I have never
>> *ever* seen this behavior before switching to syslog-ng.
>>
>> Paul Krizak 5900 E. Ben White Blvd. MS 625
>> Advanced Micro Devices Austin, TX 78741
>> Linux/Unix Systems Engineering Phone: (512) 602-8775
>> Microprocessor Solutions Sector Cell: (512) 791-0686
>>
>>
>> Balazs Scheidler wrote:
>>
>>> On Wed, 2006-04-05 at 11:35 -0500, Paul Krizak wrote:
>>>
>>>> I'm using the $HOST macro in a template, the relevant configuration
>>>> bits being:
>>>>
>>>> template t_human_readable {
>>>> template("$R_FULLDATE $HOST $FACILITY.$PRIORITY $MESSAGE\n");
>>>> template-escape(no);
>>>> };
>>>>
>>>> source s_external_syslog {
>>>> udp(port(514));
>>>> };
>>>>
>>>> destination d_big_messages {
>>>> file (
>>>> "/var/log/logs/messages.log"
>>>> template(t_human_readable)
>>>> owner(root)
>>>> group(root)
>>>> perm(0644)
>>>> );
>>>> };
>>>>
>>>> log {
>>>> source(s_external_syslog);
>>>> destination(d_big_messages);
>>>> };
>>>>
>>>>
>>>> The weird thing is that occasionally the $HOST field shows up as the
>>>> IP address, but without dots, i.e. 163181224153. I haven't really
>>>> discovered a pattern to it yet, but I'm wondering if maybe it's a
>>>> bug in the DNS caching code. I'm using pretty large values:
>>>>
>>>> dns_cache(yes);
>>>> dns_cache_size(10000);
>>>> dns_cache_expire(3600);
>>>> dns_cache_expire_failed(30);
>>>>
>>>
>>> I'm about sure that it is not affected as in syslog-ng 2.0 these options
>>> are currently ignored as there's no dns cache (yet).
>>>
>>> The hostname that you quote above cannot be an IP address as it contains
>>> too many digits. Isn't it possible that the host sometimes sends this
>>> hostname in the message itself? If keep_hostname() is enabled, then the
>>> one in the syslog message is used instead of the reverse-resolved one.
>>>
>>
>> _______________________________________________
>> syslog-ng maillist - syslog-ng at lists.balabit.hu
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>>
>
>
More information about the syslog-ng
mailing list