Information: Forum is in read-only mode
For details and other support options see

rsyslog messages writing to IP Addr instead of source FQDN

General discussions here

Moderator: alorbach

Google Ads

rsyslog messages writing to IP Addr instead of source FQDN

Postby dennisp » Tue May 09, 2017 8:38 am

We have a syslog server configured (refer to the attached config file), according to the configuration below, Our syslog should create a folder and a filename based on the PTR record of the sending host. However, the behavior we are observing is the following:

When a new message gets received the PTR is resolved correctly and folder and filename reflects the PTR value, but after certain amount of time our syslog starts writing on a folder named same as the IP Address instead of the PTR value.

## config snippet
$ModLoad # provides UDP syslog reception
input(type="imudp" port="514" ruleset="r_dynamicFileNameFromHost")
template (name="t_dynamicFileNameFromHost" type="string" string="/var/log/remote/%FROMHOST%/%FROMHOST%.log")

In that period of time, our syslog daemon was not restarted or HUPd.

by having a quick look at the source code, its does not appear that the PTR record in dns cache gets invalidated until restart of the daemon. Is there a way for us to determine what is causing this behavior? We only noticed this happening with high frequency UDP syslog sources.

rsyslog version - rsyslogd: origin software="rsyslogd" swVersion="8.4.0"
(5.87 KiB) Downloaded 41 times
(2 KiB) Downloaded 44 times
Posts: 2
Joined: Tue May 09, 2017 7:55 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: rsyslog messages writing to IP Addr instead of source FQ

Postby dlang » Tue May 09, 2017 10:04 am

you are using fromhost as the variable, that requires a name lookup. If your DNS server cannot keep up with the request rate, it will end up being populated by the IP address in fromhost-ip

see if you have different results if the names are defined in /etc/hosts rather than having to query the DNS server. Check the traffic to the DNS server and see how badly you are hammering it.

8.4 is fairly old at this point, and there have been significant improvements since then. Please check and see if you still have the problem with a current version.
Frequent Poster
Posts: 1002
Joined: Mon Sep 15, 2008 7:44 am

Re: rsyslog messages writing to IP Addr instead of source FQ

Postby dennisp » Fri May 12, 2017 4:56 am

Hello Dlang,

Me and my colleague went over and parse through the the rsyslog git code for anything that has to do with name resolution, dns cache, here is how we understood on how rsyslog handles name resolution.

1.) Init DNS cache, flushing all entries and builds it from scratch, this happens every rsyslog restart (HUP) or at the start of the service
2.) Upon reception of the a message from source host, if host is not resolve in DNS, resolve it (using getbyhostname mechanism) be it using PTR dns reverse lookup, hosts file, DNS query to configured DNS servers in /etc/resolv.conf, local cache such as nscd.

3.) And the resolved hostname, add the IP address and FQDN results to cache.

3.) upon the arrival of a message coming from the same source host, resolve the hostname from the rsyslog dnscache module

4.) imtcp and imudp all refer to same code base to do this via net.c and dnscache.c

What we observed from our end is, everything is working as expected, meaning all messages are logged to its corresponding FQDN.log file as defined the template (as per attached config), after some time, it will suddenly log to its IP Address, we noticed that this happened about 24 hours after.

we also did packet capture of the DNS queries happening at every rsylog restart vs rsyslog reload, we observed that for our most active source host, when we restarted it, it did'nt gave a our dns query for its hostname (leading us to thing that it was cached in the system) till we have stopped nscd. Also this active source host can only send logs via UDP, so this is using imudp module.

Any bugs in our current version that is being fixed in the latest version ? if there is any bug, can you suggest a work around?

What are your thoughts on this? Thanks best regards
Posts: 2
Joined: Tue May 09, 2017 7:55 am

Google Ads

Return to General

Who is online

Users browsing this forum: Google [Bot] and 1 guest