[syslog-ng] hostname incorrect after upgrade to 3.1.2

[Balazs Scheidler]

Hi,

On Mon, 2010-11-29 at 08:48 -0500, w3euu wrote:
> I have used syslog-ng for many years and have been a faithful reader of the
> mailing list, but do not believe
> I have ever had occasion to post.  Thank you for an excellent product and
> for the great support you have
> provided.  I have always been able to solve problems by reading the
> archives...until now.

Thanks :)

> 
> I just completed an upgrade from source on several (6) systems from
> syslog-ng 3.1.1 (OSE) to 3.1.2 and then 3.1.3.  
> All of them went smoothly, without error.  However, after the upgrade to
> 3.1.2, one of the systems began 
> reporting the hostname as "localhost" rather than the correct host name.
> The problem persisted when I 
> upgraded to 3.1.3.  When I roll it back to 3.1.1 it reports the hostname
> correctly.

I assume you see "localhost" on the central log server, right?

> 
> All of the systmes are fedora.  Some are fc13, some are fc14.  The system
> that failed is fc14.  It is
> forwarding its logs to a central logger via tcp.
> 
> I have checked the following:
> 	hosts file is OK.  Contains only 127.0.0.1 entry as localhost
> 	dig -x returns the correct hostname
> 	hostname returns the correct hostname
> 	tcpdump confirms that syslog-ng is reporting "localhost"

Hmm.. is this tcpdump running on the traffic between the client and the
central server? Because of keep_hostname(no) setting in your server's
settings, it doesn't matter what is on the wire.

> 
> I was unable to correct the problem by changing global options.  Global
> options are:
> 
> options {
>     flush_lines (0);
>     time_reopen (10);
>     log_fifo_size (1000);
>     long_hostnames (off);
>     use_dns (yes);
>     use_fqdn (no);
>     create_dirs (no);
>     check_hostname(yes);
>     chain_hostnames(no);
>     keep_hostname (no);
>     stats_freq (43200);
>     mark_freq (1200);
>     keep_timestamp (no);
> #     send_time_zone (-04:00);
> };
> 
> I have googled but have not found anything that seemed relavant.
> 
> Not sure how to procede to correct this situation.   Any ideas would be
> appreciated.
> I would be happy to post additional data that will help.

Since you are using keep_hostname(no), this means that the syslog-ng
server will always use the resolved name as the hostname, rather than
the one provided by the client.

Can you show what tcpdump has shown on the wire traffic? Also, can you
strace syslog-ng for a short while and see if syslog-ng is trying to
resolve hostnames? (although syslog-ng will definitely cache hostnames,
so that will only work for the first occasion as syslog-ng receives a
message from the offending system).

The only related issue I seem to remember is the problem with
non-zero-terminating hostnames, but AFAIR it only affected
chained_hostnames(yes) (equal to long_hostnames) which you don't use.

-- 
Bazsi