[syslog-ng] hostname incorrect after upgrade to 3.1.2

Tue Nov 30 13:37:46 CET 2010

On Mon, 2010-11-29 at 15:51 -0500, w3euu wrote:
> > 
> > I just completed an upgrade from source on several (6) systems from
> > syslog-ng 3.1.1 (OSE) to 3.1.2 and then 3.1.3.  
> > All of them went smoothly, without error.  However, after the upgrade to
> > 3.1.2, one of the systems began 
> > reporting the hostname as "localhost" rather than the correct host name.
> > The problem persisted when I 
> > upgraded to 3.1.3.  When I roll it back to 3.1.1 it reports the hostname
> > correctly.
> 
> I assume you see "localhost" on the central log server, right?
> 
> I see "localhost" on the central server and also on the tcp link going from 
> the failed (client) server to the central server -- as observed on the
> offending system.  
> > 
> > All of the systmes are fedora.  Some are fc13, some are fc14.  The system
> > that failed is fc14.  It is
> > forwarding its logs to a central logger via tcp.
> > 
> tcpdump is running on the client machine, and monitoring the traffic 
> leaving that machine, before it gets to the central server.
> 
> Hmm.. is this tcpdump running on the traffic between the client and the
> central server? Because of keep_hostname(no) setting in your server's
> settings, it doesn't matter what is on the wire.
> 
> Tcpdump is running on the client.  The problem seems to be there, not on
> the central server.
> 
> Since you are using keep_hostname(no), this means that the syslog-ng
> server will always use the resolved name as the hostname, rather than
> the one provided by the client.
> 
> I am 95% sure I tried keep_hostname(yes) on the client earlier, and it made
> no difference.
> I can try again if you think that's the problem.
> 
> Can you show what tcpdump has shown on the wire traffic? Also, can you
> strace syslog-ng for a short while and see if syslog-ng is trying to
> resolve hostnames? (although syslog-ng will definitely cache hostnames,
> so that will only work for the first occasion as syslog-ng receives a
> message from the offending system).
> 
> I have attached tcpdump and strace outputs.  Both tcpdump and strace are
> running on the
> "offending" system.  It is running syslog-ng version 3.1.3.  Not sure that
> the strace is what you want
> as I am new to that program.  Let me know in greater detail what you need if
> this isn't it.

strace is not what I wanted, you should have followed the child process
like this:

strace -s 256 -o /tmp/strace.dmp -f /sbin/syslog-ng 

See this chapter in the documentation:

http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/syslog-ng-strace-truss-tusc.html

(you may need to replace the path of syslog-ng as the documentation
assumes the paths used by our binary installer)

But anyway, I have an idea: do you have the hostname set on the client
host properly? syslog-ng uses the gethostname() call to determine the
hostname.

And if that is not fully qualified, it'll attempt to do the same with
reverse DNS (e.g. most probably from /etc/hosts).

Here's the pseudo code that does the hostname lookup (original in the
function reset_cached_hostname() in misc.c):

  local_hostname_fqdn = gethostname(local_hostname_fqdn);
  if (local_hostname_fqdn has no '.' character in it (e.g. not fully qualified))
    {
      /* not fully qualified, resolve it using DNS or /etc/hosts */
      local_hostname_fqdn = gethostbyname(local_hostname_fqdn);
    }

e.g. it'll try to resolve the name returned by gethostname() (e.g. the 
contents of /etc/hostname on most distros) using /etc/hosts.

-- 
Bazsi