[syslog-ng] use_fqdn()

Balazs Scheidler bazsi at balabit.hu
Sun Nov 14 13:21:49 CET 2010 

On Thu, 2010-11-11 at 13:41 -0500, Brian A. Seklecki wrote:
> Quick question:
> 
>     How does use_fqdn() interact with the various HOST, 
>     HOST_FROM, FULLHOST, FULLHOST_FROM?
> 
> My understanding is that $FULLHOST and $FULLHOST_FROM are the only ones
> that will include the FQDN.

use_fqdn() is only used in one case: when syslog-ng itself is resolving
hostnames. It doesn't cause truncation of the hostname field received
from the network. If that's to be trusted and changed, either it should
be configured on the originating system, _or_ rewritten locally.

syslog-ng _always_ resolves hostnames and puts the result in the
$HOST_FROM name-value pair (thus that value always reflects the use_fqdn
setting)

Then, depending on the configuration the $HOST value is overridden or
not.

$HOST is overridden in these cases:
  1) keep_hostname is FALSE
  2) the incoming message has no hostname information

> 
> Does use_fqdn() override that?
> 
> Is the ideal config to have use_fqdn(yes) + use_dns(yes) +
> keep_hostname(no) and set $FULLHOST_FROM or $FULLHOST everywhere you
> want a FQDN so long as DNS is there?


FULLHOST is only different from HOST in case chained_hostnames() are in
use.

In case chained_hostnames() is in effect, $HOST is a derived value:
basically it extracts the last hostname from a chained_hostname()
format, $FULLHOST is the complete stuff.

So if you have this in your hostname field:

original/relay1/relay2/relay3

The $HOST would be "original", $FULLHOST would be the full string.
That's the only difference between FULLHOST & HOST. So it doesn't care
about fqdn() setting, it just uses the value already there.

This means that right now you don't have any functionality to truncate
the domain part from a hostname using macros. if you want that, you need
to make sure everything is resolved as an FQDN and then use a rewrite
rule to store the truncated hostname in a different name-value pair.

E.g.

options { use_fqdn(yes); use_dns(yes); keep_hostname(no); };

rewrite r_hostnames {
	# the FQDN is made available in HOST_FQDN
	set("$HOST" value("HOST_FQDN"));
	# HOST is truncated to only contain the hostname without domain (beware: regexp untested!)
	subst('^([\-a-zA-Z])\..*$', '$1' value("HOST"));
};





-- 
Bazsi

More information about the syslog-ng mailing list