[syslog-ng] host name treatment

Balazs Scheidler bazsi at balabit.hu
Fri Aug 25 14:03:16 CEST 2006 

On Fri, 2006-08-25 at 11:36 +1200, Russell Fulton wrote:
> Here are the options that we are using:
> 
> options {
>     sync (0);
>     time_reopen (10);
>     log_fifo_size (5000);
>     long_hostnames (on);
>     use_dns (yes);
>     use_fqdn (yes);
>     create_dirs (yes);
> };
> 
> And for the most part things are working as we would expect, but a few
> of our client hosts insist in putting stuff in the host field of the
> syslog records and this is turning up in the HOST variable rather that
> the domain name of the source system.  Originally we had keep_hostname
> (yes) so this was the expected behaviour.  I have now changed the config
> file and restarted syslog-ng but it is still writing to the records to a
> file with the hostname in the packets.

hmm.. with the keep_hostname(no) setting, syslog-ng should always
reverse resolve the sending IP address, so it should have a proper
hostname in it as long as your DNS/hosts file is ok.

> 
> I have verified that I have edited the right file by then turning off
> use_fqdn  for a few seconds and seeing all the new directories turn up
> in the log directory (I've lost count of the time that I have spent
> hours tearing my hair out because I've edited the wrong copy of the file :)
> 
> This issue is causing real problems for us because we have some crappy
> monitoring software on our Solaris boxes which generates syslog records
> with "SRS" in the host field regardless of what the host name is and we
> have about 10 of these machines so all the records end up in one file on
> the central server and we can't tell which they are coming from.  I'd
> rather not chain host names which would seem to be the other solution.
> 

In this case syslog-ng will think that SRS is the hostname presented by
the sender, if keep_hostname is set to yes, it will use that name, if it
is set to no, it will replace it with the name that it resolved using
DNS.

An interesting add-on to this behaviour is to use bad_hostname() which
is invently exactly for this purpose, if you use bad_hostname("^SRS$")
it will cause syslog-ng to recognize that this name is bogus and take it
part of the "program name". 

-- 
Bazsi

More information about the syslog-ng mailing list