[syslog-ng] hostname incorrect after upgrade to 3.1.2

w3euu w3euu at arrl.net
Mon Nov 29 21:51:46 CET 2010


> 
> I just completed an upgrade from source on several (6) systems from
> syslog-ng 3.1.1 (OSE) to 3.1.2 and then 3.1.3.  
> All of them went smoothly, without error.  However, after the upgrade to
> 3.1.2, one of the systems began 
> reporting the hostname as "localhost" rather than the correct host name.
> The problem persisted when I 
> upgraded to 3.1.3.  When I roll it back to 3.1.1 it reports the hostname
> correctly.

I assume you see "localhost" on the central log server, right?

I see "localhost" on the central server and also on the tcp link going from 
the failed (client) server to the central server -- as observed on the
offending system.  
> 
> All of the systmes are fedora.  Some are fc13, some are fc14.  The system
> that failed is fc14.  It is
> forwarding its logs to a central logger via tcp.
> 
tcpdump is running on the client machine, and monitoring the traffic 
leaving that machine, before it gets to the central server.

Hmm.. is this tcpdump running on the traffic between the client and the
central server? Because of keep_hostname(no) setting in your server's
settings, it doesn't matter what is on the wire.

Tcpdump is running on the client.  The problem seems to be there, not on
the central server.

Since you are using keep_hostname(no), this means that the syslog-ng
server will always use the resolved name as the hostname, rather than
the one provided by the client.

I am 95% sure I tried keep_hostname(yes) on the client earlier, and it made
no difference.
I can try again if you think that's the problem.

Can you show what tcpdump has shown on the wire traffic? Also, can you
strace syslog-ng for a short while and see if syslog-ng is trying to
resolve hostnames? (although syslog-ng will definitely cache hostnames,
so that will only work for the first occasion as syslog-ng receives a
message from the offending system).

I have attached tcpdump and strace outputs.  Both tcpdump and strace are
running on the
"offending" system.  It is running syslog-ng version 3.1.3.  Not sure that
the strace is what you want
as I am new to that program.  Let me know in greater detail what you need if
this isn't it.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tcpdump.txt
Url: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20101129/c8f353a5/attachment-0002.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: strace.txt
Url: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20101129/c8f353a5/attachment-0003.txt 


More information about the syslog-ng mailing list