[syslog-ng] Handling correctly HOST value on the client side
Balazs Scheidler
bazsi at balabit.hu
Thu Aug 29 18:19:48 CEST 2013
On Tue, 2013-08-27 at 16:58 +0200, Christophe Brocas wrote:
> Hello,
>
> I have a log management infrastructure with many servers sending logs to
> centralized servers.
>
> Currently, on the server side, I use the HOST field present in the log messages
> to store log messages in separate files (like <path>/<host>/messages).
>
> Of course, due to inconsistent content of the HOST value in the log messages, I
> have several log file locations for a single client. Bad point.
>
> My question : I want to fix the problem at the source and so, set a single
> unique value in the HOST field of every log message sent by each client.
>
> What is your preferred way to address this problem on the client side ? Do you
> use use_fqdn() global option ? If yes, how it works ? A reverse DNS call ? What
> is the value returned if a PTR value is not set in the DNS zone for the IP of
> the host ?
>
> Thank you for the reading and for your answer :)
> Christophe
well either the server trusts the client with the hostname it sent in
the message (keep-hostname(yes) setting) or it doesn't.
if the server doesn't trust the client, it will reverse the IP address
based on DNS and /etc/hosts (we do have an option to only
use /etc/hosts)
if the server does trust the client, the client will have to use proper
HOST value in the messages it sends. by default syslog-ng uses
gethostname() to find out its own hostname, but if you are using a
different client that might work differently.
if you use syslog-ng on the client side HOST should be consistent for
all messages.
Hope this helps,
More information about the syslog-ng
mailing list