[syslog-ng] "Error resolving hostname" for UDP Destination

Scheidler, Balázs balazs.scheidler at balabit.com
Mon Aug 24 19:09:53 CEST 2015 

The destinations don't have dns resolution problems. They resolve their
target name once and at every reconnect. On the source side you have a
potential name lookup for every message (if uncached of course).

Or you mean that the target server cannot be resolved? Why not add it to
/etc/hosts? Initiating a reconnect is handled in the main thread, thus name
resolution of the target server would block other threads as well.

The basic problem of name resolution is on the source side though, there
each incoming message can have an associated dns cache miss but that's
delegated to the workers.
On Monday, August 24, 2015 7:31 AM, syslog-ng-bounces at lists.balabit.hu
wrote:
> sources/destinations are worked on by a set of worker threads, which
> are not dedicated to a source or destination.
>
> DNS resolution happens at the input side, so if you have multiple log
> statements, it will only happen once, right after reception, on the input
side.
>
> however, if you only have one udp() source, that will only use one
> worker at a time, so if you have multiple threads the others will not be
affected.
>
> hope this helps.

;) Not sure. First off, my UDP DNS resolution concern is in relation to a
*destination* definition.

destination d_NAaudit_Prio { file("/var/log/zzz/audit_log"
template(t_NAFormat_Prio)); udp("testing" port(514)
template(t_NAFormat_Prio)); };

This same destination is used in several log statements, the main one of
which is in a fairly complex log statement with multiple junction
definitions (see the genesis of this in the following mailing list thread:
https://lists.balabit.hu/pipermail/syslog-ng/2014-April/021330.html).

So it isn't entirely clear to me how a statement definition like this
results in a specific thread breakdown... Would isolating this destination
to its own thread be as simple as adding "threaded" to the flags option for
this destination (and then any of the referenced "log" statements would be
running in their own threads), or does this happened by default (in v3.6.x)?

Apologies if I'm missing something obvious here ;).
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150824/efdee9dc/attachment.htm

More information about the syslog-ng mailing list