[syslog-ng] $HOST macro and relay host

Balazs Scheidler bazsi at balabit.hu
Thu Nov 5 23:06:50 CET 2009 

On Wed, 2009-11-04 at 09:03 -0600, Jason Barrett wrote:
> 
> 
> Balazs Scheidler wrote: 
> > On Fri, 2009-10-30 at 14:23 -0500, Jason Barrett wrote:
> >   
> > > Hi all,
> > > 
> > > I'm relaying log messages from one syslog-ng server to another.  At the 
> > > final stop, the only way I can get the $HOST macro to work is if I 
> > > enable dns resolution on server 1.  Is this by design?  Here are the 
> > > relevant configs:
> > > 
> > > ----------------------------------------------------------------------
> > > 
> > > syslog-ng server 1 (relays to server 2):
> > > chain_hostnames(yes);
> > > keep_hostname(yes);
> > > use_dns(no);
> > > 
> > > source s_udp { udp(port(514)); };
> > > destination df_udpback { udp("192.168.1.157" port(514)); };
> > > log { source(s_udp); destination(df_udpback); };
> > > 
> > > ----------------------------------------------------------------------
> > > 
> > > syslog-ng server 2:
> > > chain_hostnames(yes);
> > > keep_hostname(yes);
> > > use_dns(yes);
> > > 
> > > source s_udp { udp(port(514)); };
> > > destination df_udp { file("/var/log/ics/$HOST/$YEAR/$MONTH/$DAY"); };
> > > log { source(s_udp); destination(df_udp); };
> > > 
> > > ----------------------------------------------------------------------
> > > 
> > > Sample log message on server 2:
> > > Oct 30 09:35:03 10.12.24.46/10.12.24.46 %ASA-5-111005: 10.28.22.55 end 
> > > configuration: OK
> > > 
> > > 10.12.24.46 is the correct IP address of the originating host, and $HOST 
> > > resolves to this IP address.  I would prefer $HOST to resolve to the 
> > > hostname as it exists in the /etc/hosts file.
> > >     
> > 
> > $HOST always resolves to the "HOST" portion of the syslog message.
> > 
> > syslog-ng can resolve only from /etc/hosts if you use these global
> > options:
> > 
> > options { use-dns(persist-only) dns-cache-hosts('/etc/hosts'); };
> > 
> >   
> "$HOST always resolves to the "HOST" portion of the syslog message."
> 
> So if the syslog message's host field contains an IP Address, $HOST will always resolve to the IP address regardless of the use-dns setting?

that depends on the keep-hostname() setting. It works like this

* message comes in with something in its "HOST" field, the message may
lack a hostname in which case syslog-ng _always_ adds one.
* syslog-ng decides whether it should trust the hostname field
(keep-hostname is set to yes it will trust it, if set to no it will not)
* if keep-hostname() is set to no, then syslog-ng will rewrite the HOST
field, possibly using DNS use-dns(yes)

Anything that refers to the HOST macro is done after this rewrite is
complete.

-- 
Bazsi

More information about the syslog-ng mailing list