Solved

rsyslog - using reverse DNS instead of hostname

Posted on 2011-09-21
7
2,814 Views
Last Modified: 2012-06-21
I currently have a rsyslog server setup to accept logs from our internal cisco devices.  It is working well, but it seems to be doing a TON of reverse DNS lookups.  It seems that the rsyslog server is using reverse DNS to find where the message is coming from rather than the hostname in the message.

Example of one of the messages:
Aug 22 11:33:58 cisco-test 17: 000014: Aug 22 11:33:57.726 est: %SYS-5-CONFIG_I: Configured from console by johnd on vty0 (x.x.x.x)

So it seems are messages are formatted correctly.  Here is my rsyslong.conf file:

# cat /etc/rsyslog.conf
$ModLoad imuxsock.so      # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)

$ModLoad imudp.so
$UDPServerAddress X.X.X.X
$UDPServerRun 514
$ModLoad imtcp.so  
$InputTCPServerRun 514

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%-%$MONTH%-%$DAY%-%$YEAR%.log"
*.* -?DynaFile
:HOSTNAME, !isequal, "rsyslogserver" ~
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
0
Comment
Question by:savone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 12

Expert Comment

by:hfraser
ID: 36577230
I expect the reverse DNS is happening because of the:

HOSTNAME, !isequal, "rsyslogserver" ~

filter which is based upon the actual hostname associated with the IP address of the system sending the message to your syslog server. Usually, this is done to implement different rules for different sources or messages. Is this something you need to do?
0
 
LVL 23

Author Comment

by:savone
ID: 36577688
Yes,
I have multiple (about 25-30) cisco devices all logging to this server.  

I use this line to make sure they are in their own folders so we can find the logs when we need them:
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%-%$MONTH%-%$DAY%-%$YEAR%.log"

0
 
LVL 12

Expert Comment

by:hfraser
ID: 36578017
Understood. You can filter on parts of the message text, but the kind of flexibility you're looking for might be better suited to syslog-ng, which offers many more capabilities for routing messages to different files, including my IP address rather than hostname.
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 23

Author Comment

by:savone
ID: 36578037
It would take me months if not years to get new software approved for our network.  Is there no way to get this resolved with rsyslog?

It looks like a reverse DNS query for every single log entry, this seems excessive.  
0
 
LVL 12

Accepted Solution

by:
hfraser earned 500 total points
ID: 36578088
I'm not aware of any way to create a filter by hostname, unless you want to maintain a list of filters by message content that look for hostnames in the message. That might mean a LOT of filters, and at the very least it's a maintenance nightmare.

If you're really concerned about the DNS traffic (the packets are small UDP messages, so it's not usually a lot of overhead), you could always suggest installing a caching slave DNS server on the syslog server itself. I've used this technique for high-volume DNS servers, more for pure performance than anything else. If your syslog server is a Unix box, you may already have bind installed on it and merely need to justify activating it and allowing it to be a slave to your main DNS servers, then add it as the DNS server in /etc/resolve.conf.
0
 
LVL 23

Author Comment

by:savone
ID: 36578188
That is a good idea.  I will look into that.  Thanks for the help.

0
 
LVL 23

Author Closing Comment

by:savone
ID: 36583451
Still considering this.
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question