3

I'm migrating from syslogd to syslog-ng on SLES 9 server (syslog-ng at stock version 1.6.8). The server happens to be a loghost for some remote loggers.

How do I configure syslog-ng to assure maximum compatibility with syslogd behavior when it comes to the hostname printed in logs? There are some custom scripts to analyze the logs and those probably depend on hostnames to stay the same. Some of them have been reported as FQDNs by syslogd, and if they would become stripped now, name collision would surely occur.

By the way, I haven't used syslogd -s or -l options to strip FQDNs.

Snapshot of my current research on syslog-ng options (update: this is incorrect, see my self-answer):

options {
        check_hostname(yes);    # invalid chars?
        keep_hostname(yes);     # yes - if there is a hostname embedded in the message, it will
                                #   be kept without overwrite/append
                                #   see https://lists.balabit.hu/pipermail/syslog-ng/2002-August/003669.html
                                #   note: RFC3164 allows either short hostname or IP, no FQDN

        use_dns(yes);           # if there is no hostname embedded in the message, try DNS

        use_fqdn(no);           # do not try to expand everything to FQDN? strip all FQDNs? strip only DNS-resolved FQDNs?
                                # old syslogd behaviour (?): use embedded hostname, print fqdn (strip only local
                                #   domain + strip "-s" domains + strip domains for "-l" hosts)

        chain_hostnames(no);    # if keep_hostname(no) or hostname not embedded, attach (rather than assign)
                                #   hostname/IP of *sender*; same as long_hostnames(off)

        sync(0);                # sync immediately
};

I found syslog-ng manuals to be somewhat inadequate.

kubanczyk
  • 13,812
  • 5
  • 41
  • 55

3 Answers3

1

Self-answer. It seems to be impossible to imitate syslogd behavior. After a lot of experiments, I provide updated snapshot of my research/guesses on syslog-ng options:

options {
        #####################################################################
        ### the flow of decisions for hostnames, syslog-ng 1.6.8:

        use_dns(yes);           # yes = first resolve the IP in $HOST_FROM (the message sender)

        keep_hostname(no);      # no = ignore $HOST embedded in the message (rare); overwrite $HOST with $HOST_FROM
                                #   note: RFC3164 allows embedding short hostname or IP, not FQDN

        use_fqdn(yes);          # yes = expand everything to FQDN, including local name
                                # Note syslogd behaviour is incompatible: use FQDN, but strip local
                                #   domain + strip "-s" domains + strip domains for "-l" hosts

        chain_hostnames(no);    # no = keep $FULLHOST same as $HOST; 
                                #   do not expand $FULLHOST into either "src@$HOST" for localhost, 
                                #   or to "$HOST/$HOST_FROM" for remote client

        #long_hostnames(no);    # synonym of chain_hostnames

        ### with default template, the resulting $FULLHOST is written to log
        #####################################################################

        check_hostname(yes);    # invalid chars?

        sync(0);                # sync immediately
};

I've found out that messages from my remote systems probably do not have hostname embedded, and this causes keep_hostname to be of no use.

kubanczyk
  • 13,812
  • 5
  • 41
  • 55
0

The options you have are probably what you want, except for use_dns(yes);. Enabling that will cause syslog-ng to do a DNS lookup on the IP address a log comes from. This is a big performance hit (DNS lookups as logs come in that syslog-ng has to block on because it can't write the logs until the dns lookup returns), and it also means that if a log doesn't include an entry, syslog-ng will try to fill it in with a DNS hostname, while traditional syslog will fill it in with an log source's IP address.

Honestly, the only lines you absolutely need are keep_hostname(yes); and (just to keep invalid characters out), check_hostname(yes);. The rest won't hurt anything, but aren't strictly required (with the one exception being the use_dns(yes);, as mentioned above, which you don't want).

Christopher Cashell
  • 9,128
  • 2
  • 32
  • 44
  • Bad news for you. My original syslogd sure does write to logs many names that come from reverse DNS queries. I can see them. Names from the same domain are stripped, names from other domains are FQDNs. Syslogd logs bare IPs only when there is no reverse DNS for a given IP. Again, I don't need performance enhancements for now, I just need syslog-ng to keep that syslogd behavior format. – kubanczyk Jun 16 '09 at 20:47
0

To reduce the performance effect of name resolution, you can also try these tricks: http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch07s04.html

"I found syslog-ng manuals to be somewhat inadequate." > Comments and feedback about the syslog-ng manuals and docs is most welcome at documentation@balabit.com, or the syslog-ng mailing list (https://lists.balabit.hu/mailman/listinfo/syslog-ng).

Please let me know if the use_dns(yes) option was OK for your case, and I will try to make this part of the docs clearer in the next release.