[syslog-ng] syslog uses wrong and weird hostnames

Wed Nov 28 13:41:07 CET 2012

I hope I’ve found a workaround now…   Unfortunately I made a mistake while disabling ipv6 on my debian host. I tried to disable it with “net.ipv6.conf.all.disable_ipv6=1” but this didn’t work out so. Setting “net.ipv6.conf.bond0.disable_ipv6 = 1 “ did the job and my syslog-ng faulty name rate was down to almost none. I hope the problem is gone now but I will monitor this more closely for 2 more weeks.

It seems like syslog-ng doesn’t like ipv6 and I hope this will be fixed in the future.

Von: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] Im Auftrag von Daniel Neubacher
Gesendet: Donnerstag, 22. November 2012 11:35
An: Balazs Scheidler; Syslog-ng users' and developers' mailing list
Betreff: Re: [syslog-ng] syslog uses wrong and weird hostnames

Sorry but I was given other tasks the last weeks but now I’m on this problem again… I still can’t figure it out :(

> keep-hostname() is false in your case, which means it resolves hostnames from dns and /etc/hosts
Yes we need this because we don’t have only syslog-ng clients in our network. Our PDU’s for example are logging only their hostname which is for four of them only a-1 and not the fully qualified name which we need.

>Isn't it possible that you get ipv6 traffic from special addresses, and those are resolved onto the names it uses?
No. I’ve disabled ipv6 completely on the server. The DNS server doesn’t serve any AAAA records either.

>can you run tcpdump on the server to confirm? do you have ipv6 source configured?
In the dump I’m seeing dns lookups for AAAA records which I can’t explain. But this isn’t happing for every host and only sometimes.

What I’ve done to debug this problem:

-          Compiling syslog-ng 3.3.4,5,6 & 7

-          Installing different linux distributions: Debian Squeeze, CentOs 6.2 and Ubuntu 12.10 and using the binary packets

-          Switching off ipv6 on the server

-          Configuring ip6tables to block all incoming v6 traffic

-          “options single-request” in resolv.conf

-          Deleting the ipv6 default settings in the hosts file. This only cause that ip6-localnet & co are not used as names anymore

-          Switching of syslog-ng dns cache

-          Using nscd as cache (but this solution created even more weird names)

-          Using a local bind with a copy of our zones

-          Out of ideas now

I can’t understand why I’m the only one who is experience this problem if I can reproduce it on any linux distribution and with any of the last syslog versions…

Von: Balazs Scheidler [mailto:bazsi77 at gmail.com]
Gesendet: Dienstag, 25. September 2012 07:19
An: Syslog-ng users' and developers' mailing list; Daniel Neubacher
Betreff: Re: [syslog-ng] syslog uses wrong and weird hostnames

----- Original message -----
> Hello there,
> My syslog-ng is logging fine from 700 servers but a few times per day it
> is logging into a wrong folder which is created by the $HOST variable.
> Normally syslog should use a hostname like host-1.worker.foobar.com but
> a few times a day it creates a folder names like:
>
> 4.22
> p6-allrouter?
> p6-localnet
> p6-mc?
> p6-mcastpref
> p6-mcastpref?
> host-1.worker.foobar.xcom
> and other weird names...
>
> It only logs one or two lines and then uses the right folder again. Does
> anyone have a clue where I have to look for the problem?
>
> Here are the option line from the server and the client:
>
> Client:
> @version: 3.3
> options {
>        threaded(yes);
>
>        use_dns(yes);
>        use_fqdn(yes);
>        dns_cache(yes);
>        dns_cache_size(16384);
>        dns_cache_expire(3600);
>      dns_cache_expire_failed(10);
>
>        log_msg_size(256000);
>        log_fifo_size(100000);
>
>        normalize_hostnames(yes);
>        check_hostname(yes);
>        bad_hostname("^gconfd$");
>
>        create_dirs(yes);
>        owner("root");
>        group("root");
>        perm(0640);
>
>        time_reopen(30);
> };
>
> Server:
>
> options {
>        threaded(yes);
>        owner("root");
>        group("root");
>        perm(0660);
>
>        dir_owner("root");
>        dir_group("root");
>        dir_perm(0770);
>        create_dirs(yes);
>
>        chain_hostnames(no);
>        normalize_hostnames(yes);
>        check_hostname(yes);
>        keep_hostname(no);
>
>        use_fqdn(yes);
>        dns_cache(yes);
>        dns_cache_size(16384);
>        dns_cache_expire(3600);
>        dns_cache_expire_failed(60);
>
>        log_msg_size(256000);
>        log_fifo_size(1000000);
> };
>
> Destination example:
> destination d_syslog {
> file("/log/syslog/${R_YEAR}/${R_MONTH}/${R_DAY}/$HOST/$PROGRAM"); };

keep-hostname() is false in your case, which means it resolves hostnames from dns and /etc/hosts

Isn't it possible that you get ipv6 traffic from special addresses, and those are resolved onto the names it uses?

can you run tcpdump on the server to confirm? do you have ipv6 source configured?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20121128/83ab9a61/attachment-0001.htm 