[syslog-ng] $HOST macro and relay host

Fri Nov 6 21:24:36 CET 2009

Yep. It sounds like you need to resolve an IP to a hostname, and if
you can do it at the first syslog-ng hop that will be the easiest.
There are a lot of messages with regards to keep_hostname and $HOST
macro confusion so i'm going to be long winded for others who read
this, as it sounds like you already have a bead on whats going on.
Bazsi feel free to correct me at any spot.

Keep in mind that using the keep_hostname(yes) option makes it so that
use_dns() will never be called. Heres standard syslog format:

<time>  <hostname>  <daemon[PID]>: <message>

Using keep_hostname(yes), syslog-ng will ignore any information about
what host/syslog server passed it the message. It will only look at
the <host> column of the message to determine what $HOST gets set to.

So, lets say you've got:

switch1  -->  sys-relay --> sys-central

Switch1 has IP address 10.1.1.123. With keep_hostname(yes) on
sys-relay, the log gets written out by sys-relay like this:

<time>  10.1.1.123  <cisco-counter-pid>: <message>

So lets say you wanted sys-relay to resolve 10.1.1.123 to a hostname.
You would do this if you had appropriate PTR records set up on your
DNS server for reverse DNS to work:
keep_hostname(no)
use_dns(yes)
Or if you don't have access to modify your dns resolver and wanted to
put your entries in /etc/hosts instead, you would use these options:
keep_hostname(no)
use-dns(persist-only)
dns-cache-hosts('/etc/hosts')

Then, your logs on sys-relay would get written out like this (assuming
10.1.1.123 resolves to cisco-switch1):

<time>  cisco-switch1  <cisco-counter-pid>: <message>

sys-relay would then send that log to sys-central just like that too.
Then on sys-central, you would of course just use:
keep_hostname(yes);
and it would write out its own logs exactly the same as they appear on
sys-relay:
<time>  cisco-switch1  <cisco-counter-pid>: <message>

If you used keep_hostname(no) on sys-central, then sys-central would
take a look at who it got the log from, ignore the <host> column of
the log message, and write its logs out as:
<time> sys-relay <cisco-counter-pid>: <message>
Which I don't think you want.

Spoof-source would be used in the case that you can't resolve
10.1.1.123 from sys-relay, or perhaps you don't want to do any dns
resolution at all and want to save logs with the original IP in them
at the very last hop for some reason. Using the 'spoof source' option,
you're basically telling sys-relay to re-write the UDP packet
source-ip to 10.1.1.123 on whatever messages it is forwarding. Keep in
mind you have to be sending in UDP for spoof source to work, and you
have to compile your syslog-ng with ./configure --enable-spoof-source

Hope that helps

On Thu, Nov 5, 2009 at 6:40 PM, Jason Barrett <knotam at knotam.com> wrote:
>
>
> Balazs Scheidler wrote:
>
> On Wed, 2009-11-04 at 09:03 -0600, Jason Barrett wrote:
>
>
> Balazs Scheidler wrote:
>
>
> On Fri, 2009-10-30 at 14:23 -0500, Jason Barrett wrote:
>
>
>
> Hi all,
>
> I'm relaying log messages from one syslog-ng server to another.  At the
> final stop, the only way I can get the $HOST macro to work is if I
> enable dns resolution on server 1.  Is this by design?  Here are the
> relevant configs:
>
> ----------------------------------------------------------------------
>
> syslog-ng server 1 (relays to server 2):
> chain_hostnames(yes);
> keep_hostname(yes);
> use_dns(no);
>
> source s_udp { udp(port(514)); };
> destination df_udpback { udp("192.168.1.157" port(514)); };
> log { source(s_udp); destination(df_udpback); };
>
> ----------------------------------------------------------------------
>
> syslog-ng server 2:
> chain_hostnames(yes);
> keep_hostname(yes);
> use_dns(yes);
>
> source s_udp { udp(port(514)); };
> destination df_udp { file("/var/log/ics/$HOST/$YEAR/$MONTH/$DAY"); };
> log { source(s_udp); destination(df_udp); };
>
> ----------------------------------------------------------------------
>
> Sample log message on server 2:
> Oct 30 09:35:03 10.12.24.46/10.12.24.46 %ASA-5-111005: 10.28.22.55 end
> configuration: OK
>
> 10.12.24.46 is the correct IP address of the originating host, and $HOST
> resolves to this IP address.  I would prefer $HOST to resolve to the
> hostname as it exists in the /etc/hosts file.
>
>
>
> $HOST always resolves to the "HOST" portion of the syslog message.
>
> syslog-ng can resolve only from /etc/hosts if you use these global
> options:
>
> options { use-dns(persist-only) dns-cache-hosts('/etc/hosts'); };
>
>
>
>
> "$HOST always resolves to the "HOST" portion of the syslog message."
>
> So if the syslog message's host field contains an IP Address, $HOST will
> always resolve to the IP address regardless of the use-dns setting?
>
>
> that depends on the keep-hostname() setting. It works like this
>
> * message comes in with something in its "HOST" field, the message may
> lack a hostname in which case syslog-ng _always_ adds one.
> * syslog-ng decides whether it should trust the hostname field
> (keep-hostname is set to yes it will trust it, if set to no it will not)
> * if keep-hostname() is set to no, then syslog-ng will rewrite the HOST
> field, possibly using DNS use-dns(yes)
>
> Anything that refers to the HOST macro is done after this rewrite is
> complete.
>
>
>
> Thanks for the reply.
>
> Using keep-hostname(no), syslog-ng rewrites (or appends if
> chain-hostname(yes)) the hostname using the source IP of the packet.
> Unfortunately, I trust the original IP address, I just want to resolve it to
> a name.  I think the only way to accomplish this is to use the spoof-source
> option or rewrite the hostname at the first syslog-ng hop.  Is this
> accurate?
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>

-- 
Lance Laursen
Demonware Systems Engineer
1-604-689-4594 x3702