[syslog-ng] DNS and hosts

Hari Sekhon hpsekhon at googlemail.com
Thu Sep 28 17:53:51 CEST 2006 

that config is almost the same as mine, which means it's also reliant on 
DNS. This is good in that is validates names instead of using names from 
the logs, but bad in that it can stall or put entries with ip addresses 
if it can't find the reverse dns record for the ip of the sending machine.

The 2 main questions still remain:

Does syslog-ng use nsswitch for dns processing, will a hosts file stop 
it from doing dns queries or does syslog-ng bypass this and do dns 
queries anyway?

Is there a way to tell it to use the name from dns or if unavailable 
then keep the hostname from the log entry?

Hari Sekhon



Dukes Clayton wrote:
> Hari,
> This may help:
>
> ########################################################################
> ###################
> # My config below
> ########################################################################
> ###################
> options {
>         long_hostnames(off);
>
>         # doesn't actually help on Solaris, log(3) truncates at 1024
> chars
>         log_msg_size(8192);
>
>         # buffer just a little for performance
>         sync(1);
>
>         # memory is cheap, buffer messages unable to write (like to
> loghost)
>         log_fifo_size(16384);
>
>         # Hosts we don't want syslog from
>         #bad_hostname("^(ctld.|cmd|tmd|last)$");
>
>         # The time to wait before a dead connection is reestablished
> (seconds)
>         time_reopen(10);
>
>         #Use DNS so that our good names are used, not hostnames
>         use_dns(yes);
>         dns_cache(yes);
>
>         #Use the whole DNS name
>         use_fqdn(no);
>
>         keep_hostname(no);
>         chain_hostnames(yes);
>
>         #Read permission for everyone
>         perm(0644);
>
>         # The default action of syslog-ng 1.6.0 is to log a STATS line
>         # to the file every 10 minutes.  That's pretty ugly after a
> while.
>         # Change it to every 12 hours so you get a nice daily update of
>         # how many messages syslog-ng missed (0).
>         stats(43200);
> };
>  
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Hari Sekhon
> Sent: Thursday, September 28, 2006 10:20 AM
> To: Syslog-ng users' and developers' mailing list
> Subject: [syslog-ng] DNS and hosts
>
> I have a logserver with a mysql back-end and php-syslog-ng front-end.
>
> I was doing some work on DNS (migration to another machine, another
> version) yesterday and it was down for a little while. I noticed today
> that in the logserver interface I have loads of ip addresses instead of
> hostnames.
>
> So I had to go through and change the fields for all those hosts
> manually, which was quite annoying. In order to stop this from happening
> again I was wondering what steps I could take.
>
> My logserver conf options section is as follows:
>
> options {
>     chain_hostnames(off);
>     sync(10);
>     stats(43200);
>     keep_hostname(no);
>     use_dns(yes);
>     dns_cache(yes);
>     create_dirs(yes);
>     log_fifo_size(5000);
> };
>
> If I change keep_hostname() to yes will I still get validation via dns
> or not? I think not judging from the docs. I was wondering if perhaps it
> would use dns and if unavailable it would use the name from the logs. 
> Wishful thinking?
>
>
> On a DNS front, I was wondering if I could just copy a hosts file with
> all the dns names in it to the /etc/hosts of the linux system running
> the logserver. Would this work? Would syslog-ng obey the nsswitch of the
> linux system and use the hosts file first? Or does it have to do a dns
> request when use_dns(yes) is the options{}; ?
>
> This way, I'll never have this problem again if I need to fiddle the DNS
> server. I already have a hosts file generated when I update my dns
> server records so this is ready to go if it will work...
>
>
> All feedback welcome.
>
> -h
>
> --
> Hari Sekhon
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>
>

More information about the syslog-ng mailing list