[syslog-ng] Forwarding + Spoofing = Errors & Dropped Packets?
Balazs Scheidler
bazsi at balabit.hu
Mon Jan 15 21:15:16 CET 2007
On Mon, 2007-01-15 at 12:52 -0600, Ivey, Chris wrote:
> Thanks Bazsi. I finally got to the bottom of this, quite on accident.
> On a whim (since nothing else was working), I changed the destination
> for forwarding from hostnames to IP addresses. After I stopped and
> restarted the syslog-ng service, all worked well. I noticed in all my
> ltrace outputs that syslog-ng was performing a LOT of DNS queries when
> spoofing was on and we were using hostnames as the targets. There is
> not a local DNS server with this syslog-ng server, so the queries were
> taking quite a bit of time to come back (50-60 ms). Once I made the
> change to IP addresses, everything worked much better. I have now set
> my other syslog-ng server to use IP addresses instead of hostnames for
> forwarding as well.
>
> Whoever runs the syslog-ng FAQ on campin.net may need to know that if
> you have performance issues, switching your targets to IP addresses
> instead of hostnames may clear up some issues.
>
> Can you explain to me, though, why the spoofing needs to do so many
> nslookups? Why can it not cache the results of the first query? Does
> the application block waiting for DNS queries to come back? That may
> need to be addressed.... Thanks!
Sure, this is a bug. When I add spoof-source support to 2.0.x, I'll take
care of this.
--
Bazsi
More information about the syslog-ng
mailing list