[syslog-ng] syslog uses wrong and weird hostnames

Balazs Scheidler bazsi77 at gmail.com
Tue Sep 25 07:19:19 CEST 2012 

----- Original message -----
> Hello there,
> My syslog-ng is logging fine from 700 servers but a few times per day it
> is logging into a wrong folder which is created by the $HOST variable.
> Normally syslog should use a hostname like host-1.worker.foobar.com but
> a few times a day it creates a folder names like:
> 
> 4.22
> p6-allrouter?
> p6-localnet
> p6-mc?
> p6-mcastpref
> p6-mcastpref?
> host-1.worker.foobar.xcom
> and other weird names...
> 
> It only logs one or two lines and then uses the right folder again. Does
> anyone have a clue where I have to look for the problem?
> 
> Here are the option line from the server and the client:
> 
> Client:
> @version: 3.3
> options {
>         threaded(yes);
> 
>         use_dns(yes);
>         use_fqdn(yes);
>         dns_cache(yes);
>         dns_cache_size(16384);
>         dns_cache_expire(3600);
>       dns_cache_expire_failed(10);
> 
>         log_msg_size(256000);
>         log_fifo_size(100000);
> 
>         normalize_hostnames(yes);
>         check_hostname(yes);
>         bad_hostname("^gconfd$");
> 
>         create_dirs(yes);
>         owner("root");
>         group("root");
>         perm(0640);
> 
>         time_reopen(30);
> };
> 
> Server:
> 
> options {
>         threaded(yes);
>         owner("root");
>         group("root");
>         perm(0660);
> 
>         dir_owner("root");
>         dir_group("root");
>         dir_perm(0770);
>         create_dirs(yes);
> 
>         chain_hostnames(no);
>         normalize_hostnames(yes);
>         check_hostname(yes);
>         keep_hostname(no);
> 
>         use_fqdn(yes);
>         dns_cache(yes);
>         dns_cache_size(16384);
>         dns_cache_expire(3600);
>         dns_cache_expire_failed(60);
> 
>         log_msg_size(256000);
>         log_fifo_size(1000000);
> };
> 
> Destination example:
> destination d_syslog {
> file("/log/syslog/${R_YEAR}/${R_MONTH}/${R_DAY}/$HOST/$PROGRAM"); };

keep-hostname() is false in your case, which means it resolves hostnames from dns and /etc/hosts

Isn't it possible that you get ipv6 traffic from special addresses, and those are resolved onto the names it uses?

can you run tcpdump on the server to confirm? do you have ipv6 source configured?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120925/d23ff9d0/attachment.htm

More information about the syslog-ng mailing list