[syslog-ng] "Error resolving hostname" for UDP Destination

Scheidler, Balázs balazs.scheidler at balabit.com
Mon Aug 24 16:30:45 CEST 2015


sources/destinations are worked on by a set of worker threads, which are
not dedicated to a source or destination.

DNS resolution happens at the input side, so if you have multiple log
statements, it will only happen once, right after reception, on the input
side.

however, if you only have one udp() source, that will only use one worker
at a time, so if you have multiple threads the others will not be affected.

hope this helps.

-- 
Bazsi

On Mon, Aug 24, 2015 at 4:27 PM, David Hauck <davidh at netacquire.com> wrote:

> On Saturday, August 22, 2015 10:29 AM, syslog-ng-bounces at lists.balabit.hu
> wrote:
> > Syslog-ng doesn't use an asynchronous dns resolver, but rather it uses
> > the libc one as it wants to keep the ordering of messages.
> >
> > However it uses an inprocess DNS cache, that should mitigate most dns
> > latency issues as hosts that generate logs should already be in the
> > cache anyway.
> >
> > If you can't trust that the dns will work, just disable dns resolution
> > eg use-
> > dns(no) or use persist-only dns caching and populate /etc/hosts with
> > those you want to see with names.
> >
> > https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-la
> > te st-guides/en/syslog-ng-ose-guide-admin/html/example-local-dns.html
>
> Great, the above all sounds fine.
>
> And, yes, the edge condition I'm considering is a UDP destination with a
> failing DNS lookup (see below).
>
> > With regards to dns stalling all sources, no its not as long as
> > syslog-ng is running in threaded mode. Only the affected worker is
> > stalled the others will continue.
>
> By "affected worker" do you mean the source or the destination. Hopefully
> this is the latter as I have many "log" definitions (all with the same
> source and all tied various destinations. Only some of these are configured
> with udp destinations that fail DNS lookup. What exactly doesn't/does get
> blocked here?
>
> > On Aug 22, 2015 5:37 PM, "David Hauck" <davidh at netacquire.com> wrote:
> >
> >
> >       On yslog-ng-bounces at lists.balabit.hu] On Behalf Of Scheidler,,
> > syslog-ng-bounces at lists.balabit.hu wrote:     > Earlier syslog-ng
> > immediately exited at startup, now it is considering  > dns resolution
> > errors just like connection failures so time-reopen applies.
> >
> >       OK, thx.
> >
> >       BTW, I was reading about the DNS resolver blocking the logger
> (during
> > resolutions, which, in situations where the lookup fails, could result
> > in significant time). What does this mean exactly? Are all
> > destinations/sources blocked during this time?
> >
> >       > Time-reopen defaults to 60 seconds as I remember as well and I
> > can't remember any patch that would have changed it.
> >
> >       Thx also - I did locate my configuration setting for this and see
> > that the distribution I'm using resets this default to 10s (so
> > everything's working fine here).
> >
> >       > On Aug 22, 2015 1:01 AM, "David Hauck" <davidh at netacquire.com>
> wrote:
> >       >       >       >       Hi Fabien,      >       >       On Monday,
> June 15, 2015 7:08 AM,
> > I wrote:      > On Monday, June 15, 2015      > 12:50 AM Fabien Wernli
> > wrote:         >> Hi David,    >>
> >>> On Fri, Jun 12, 2015
> >       > at 05:09:03PM +0000, David Hauck wrote:       >>> Starting
> syslog-ng:
> > Error         > resolving hostname;   >>>
> host='test.nacc.netacquire.dom' Error
> >       > initializing message pipeline;        >>>     >>> Unfortunately,
> this
> > results in    > the entire process failing to start.  >>      >> This
> > looks a hell lot like         > a resolved issue [1] on github        >>
> > >> [1]        > https://github.com/balabit/syslog-ng/issues/318       >
> >> Yes, indeed! And
> >       > this looks to have been included in v3.6.3 - I'll give this a
> try.    >
> >       >       I've finally had a chance to test this and see that it
> indeed
> > fixes         > outright error. However, I now see the following messages
> > appear every 10s:     >       >       20150821 15:54:37.994 err
> > syslog(syslog-ng):Error resolving hostname; host='tester'     >
> > 20150821 15:54:37.994 err syslog(syslog-ng):Initiating connection
> > failed, reconnecting; time_reopen='10'        >       >       Is there a
> way to
> > change the timeout? Is this the time-reopen global    > option? Besides
> > DNS lookup retries, what other operations are subject         > to this
> > timeout? Finally, the default (3.7) OSE documentation indicates the
> > time-reopen default is 60s (not 10s like I'm seeing).         >       >
> > Thanks,       >       -David  >       >
> > __________________________________________________________ ____________
> >       > __ ______     Member info:    >
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:    >
> > http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:  >
> > http://www.balabit.com/wiki/syslog-ng-faq     >       >
> >
> > __________________________________________________________
> > ______________ ______         Member info:
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng   Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
>  FAQ:
> > http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150824/51697432/attachment.htm 


More information about the syslog-ng mailing list