[syslog-ng] malformed syslog packets?

[Matt Zagrabelny]

Hi!

I've got a central log server running the OSE 3.1.3 version of syslog-ng:

dpkg -l syslog-ng
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                     Version
               Description
+++-========================================-========================================-================================================================================================
ii  syslog-ng                                3.1.3-3
               Next generation logging daemon

I have dns lookup turned on via:

options {
  use_dns(yes);
  dns_cache(2000);
  dns_cache_expire(87600);
};

And this seems to work just fine...except for a certain type of device
on our network.

We have a number of UPSes that log to our central log server and it
seems that the dns look ups do not work for those (types of devices).

% cd /var/log/syslog-ng/remote_clients
% ls -d 10.*
10.25.32.4  10.25.5.15  10.25.5.19  10.25.5.26  10.25.5.35  10.25.5.4
 10.25.5.44  10.25.5.51  10.25.5.6   10.25.5.65  10.25.5.69
10.25.5.76
10.25.5.1   10.25.5.16  10.25.5.2   10.25.5.27  10.25.5.36  10.25.5.40
 10.25.5.49  10.25.5.52  10.25.5.60  10.25.5.66  10.25.5.7
10.25.5.79
10.25.5.10  10.25.5.17  10.25.5.20  10.25.5.28  10.25.5.37  10.25.5.41
 10.25.5.5   10.25.5.55  10.25.5.61  10.25.5.67  10.25.5.72
10.25.5.81
10.25.5.14  10.25.5.18  10.25.5.23  10.25.5.3   10.25.5.38  10.25.5.43
 10.25.5.50  10.25.5.58  10.25.5.62  10.25.5.68  10.25.5.75  10.25.5.9

When I look up those IP addresses, they are *all* APC batteries (UPSes).

For instance:

% dig -x 10.25.5.43 +short
kplz246Abat1.d.umn.edu.

Is it possible that they are sending some sort of munged data to the
log server and syslog-ng is not able to perform the (reverse) name
lookup?

Any advice?

Thanks, much!

-Matt Zagrabelny