[syslog-ng] Host name handling : FULLHOST_FROM explanation
Balazs Scheidler
bazsi at balabit.hu
Sat Dec 4 13:18:28 CET 2010
On Wed, 2010-12-01 at 10:34 +0100, Christophe Brocas wrote:
> Hello
>
> I am working on the right and consistent way to store log messages in
> destination files. I try to obtain a single file per host, based on HOST value
> in log messages..
>
> Currently, I have inconsistent values in HOST part of log messages, so
> destination files are also inconsistents.
>
> To answer to this problem, I am going to use at first the SOURCEIP macro in my
> destination file paths.
>
> But I want to improve this situation. So I would like to be sure of the
> understanding I have of the FULLHOST_FROM macro.
>
> If use_dns() is set to yes, does the expansion of FULLHOST_FROM macro follow
> this stream ?
>
> 1. Syslog-NG takes the IP address of the host sending the message
> 2. Syslog-NG tries to get the reverse value (as dig -x) from the IP address
> 3. Syslog-NG expands the macro with the FQDN obtained in point 2
That's right.
> (What if DNS reverse fails ? The macro returns only the IP address ?)
yes.
--
Bazsi
More information about the syslog-ng
mailing list