[syslog-ng] Forwarding + Spoofing = Errors & Dropped Packets?

Balazs Scheidler bazsi at balabit.hu
Mon Jan 15 21:15:16 CET 2007

On Mon, 2007-01-15 at 12:52 -0600, Ivey, Chris wrote:
> Thanks Bazsi.  I finally got to the bottom of this, quite on accident.
> On a whim (since nothing else was working), I changed the destination
> for forwarding from hostnames to IP addresses.  After I stopped and
> restarted the syslog-ng service, all worked well.  I noticed in all my
> ltrace outputs that syslog-ng was performing a LOT of DNS queries when
> spoofing was on and we were using hostnames as the targets.  There is
> not a local DNS server with this syslog-ng server, so the queries were
> taking quite a bit of time to come back (50-60 ms).  Once I made the
> change to IP addresses, everything worked much better.  I have now set
> my other syslog-ng server to use IP addresses instead of hostnames for
> forwarding as well.
> Whoever runs the syslog-ng FAQ on campin.net may need to know that if
> you have performance issues, switching your targets to IP addresses
> instead of hostnames may clear up some issues.
> Can you explain to me, though, why the spoofing needs to do so many
> nslookups?  Why can it not cache the results of the first query?  Does
> the application block waiting for DNS queries to come back?  That may
> need to be addressed....  Thanks!

Sure, this is a bug. When I add spoof-source support to 2.0.x, I'll take
care of this.


More information about the syslog-ng mailing list