Mailing List Archive

rsyslog DNS caching.
Hopefully I am not asking a questions that was asked before, but I didn't see an archive search feature to try to mine this and stopped looking in the 3rd quarter of 2015.

I tried looking at the rsyslog source code and see that it has a hostname caching feature, which appears to be used by rsyslog log servers to increase the speed at which it processes incoming messages from remote systems. However I am wondering for a system that is configure to push its logs to a remote log server, does rsylog do any internal caching of a hostnames underlying IP addresses or does leave that to the system level DNS services. I am a asking because I have to change some of our systems to point to another syslog sever and I would like to instead like to try to make my life easier in the future and use a hostname that is a DNS c-record (alias/canonical name) in my settings so that if/when the log servers are moved to another numerical IP address, I might not have to change anything and when the DNS Time to Live comes up if syslog will just start push the logs to the new server.. (In the past I have run into applications that on startup cache the IP address of systems t
hey connect to and never recheck when the designated DNS name Time to Live expires, and I want to see if it is worth my time use a c-name instead of just the hostname itself, and whether restarts would be needed in the future.)


Thank you for any responses.

_________________________
Alexander Kohr
Unix Systems Administrator
Temple University Health System

Alexander.Kohr@tuhs.temple.edu<mailto:Alexander.Kohr@tuhs.temple.edu>
267-666-8341 (Corporate Cell)


________________________________

This electronic message is intended to be for the use of the named recipient, and may contain information that is confidential or privileged. This communication may contain protected health information (PHI) that is legally protected from inappropriate disclosure by the Privacy Standards of the Health Insurance Portability and Accountability Act (HIPAA) and relevant Pennsylvania Laws. You can direct questions concerning PHI or HIPAA to the Corporate Compliance and Privacy Officer at (215) 707-5605. If you are not the intended recipient, please note that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error, you should notify the sender immediately by telephone or by return e-mail and delete and destroy all copies of this message.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rsyslog DNS caching. [ In reply to ]
rsyslog will do DNS resolution ONCE when it opens a connection. It does no further checking or updates during that connection. The easiest way to handle this is simply to have rsyslog close and reopen the connection every set number of events transmitted. See the omfwd module parameter named RebindInterval for details.

I believe there is an open request for the rebind interval to be time based, not event count based, but at the moment (with a true load balancer) that’s about the only option.

Regards,

> On Aug 19, 2021, at 13:54, Kohr, Alexander via rsyslog <rsyslog@lists.adiscon.com> wrote:
>
> Hopefully I am not asking a questions that was asked before, but I didn't see an archive search feature to try to mine this and stopped looking in the 3rd quarter of 2015.
>
> I tried looking at the rsyslog source code and see that it has a hostname caching feature, which appears to be used by rsyslog log servers to increase the speed at which it processes incoming messages from remote systems. However I am wondering for a system that is configure to push its logs to a remote log server, does rsylog do any internal caching of a hostnames underlying IP addresses or does leave that to the system level DNS services. I am a asking because I have to change some of our systems to point to another syslog sever and I would like to instead like to try to make my life easier in the future and use a hostname that is a DNS c-record (alias/canonical name) in my settings so that if/when the log servers are moved to another numerical IP address, I might not have to change anything and when the DNS Time to Live comes up if syslog will just start push the logs to the new server.. (In the past I have run into applications that on startup cache the IP address of systems t
> hey connect to and never recheck when the designated DNS name Time to Live expires, and I want to see if it is worth my time use a c-name instead of just the hostname itself, and whether restarts would be needed in the future.)
>
>
> Thank you for any responses.
>
> _________________________
> Alexander Kohr
> Unix Systems Administrator
> Temple University Health System
>
> Alexander.Kohr@tuhs.temple.edu<mailto:Alexander.Kohr@tuhs.temple.edu>
> 267-666-8341 (Corporate Cell)
>
>
> ________________________________
>
> This electronic message is intended to be for the use of the named recipient, and may contain information that is confidential or privileged. This communication may contain protected health information (PHI) that is legally protected from inappropriate disclosure by the Privacy Standards of the Health Insurance Portability and Accountability Act (HIPAA) and relevant Pennsylvania Laws. You can direct questions concerning PHI or HIPAA to the Corporate Compliance and Privacy Officer at (215) 707-5605. If you are not the intended recipient, please note that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error, you should notify the sender immediately by telephone or by return e-mail and delete and destroy all copies of this message.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rsyslog DNS caching. [ In reply to ]
Thank You all for your responses in this chain and rsyslog issue #2199, I am going for now going to try to set RebindInterval's, as a temporary workaround to being able to change DNS names.

-----Original Message-----
From: John Chivian [mailto:jchivian@chivian.com]
Sent: Thursday, August 19, 2021 3:08 PM
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: Kohr, Alexander <Alexander.Kohr@tuhs.temple.edu>
Subject: Re: [rsyslog] rsyslog DNS caching.

EXTERNAL sender! Do you TRUST this email? If you are unsure, send the email to InfoSec for review by using the Report Phish button.
________________________________


rsyslog will do DNS resolution ONCE when it opens a connection. It does no further checking or updates during that connection. The easiest way to handle this is simply to have rsyslog close and reopen the connection every set number of events transmitted. See the omfwd module parameter named RebindInterval for details.

I believe there is an open request for the rebind interval to be time based, not event count based, but at the moment (with a true load balancer) that’s about the only option.

Regards,

> On Aug 19, 2021, at 13:54, Kohr, Alexander via rsyslog <rsyslog@lists.adiscon.com> wrote:
>
> Hopefully I am not asking a questions that was asked before, but I didn't see an archive search feature to try to mine this and stopped looking in the 3rd quarter of 2015.
>
> I tried looking at the rsyslog source code and see that it has a
> hostname caching feature, which appears to be used by rsyslog log
> servers to increase the speed at which it processes incoming messages
> from remote systems. However I am wondering for a system that is
> configure to push its logs to a remote log server, does rsylog do any
> internal caching of a hostnames underlying IP addresses or does leave
> that to the system level DNS services. I am a asking because I have to
> change some of our systems to point to another syslog sever and I
> would like to instead like to try to make my life easier in the future
> and use a hostname that is a DNS c-record (alias/canonical name) in my
> settings so that if/when the log servers are moved to another
> numerical IP address, I might not have to change anything and when the
> DNS Time to Live comes up if syslog will just start push the logs to
> the new server.. (In the past I have run into applications that on
> startup cache the IP address of systems t hey connect to and never
> recheck when the designated DNS name Time to Live expires, and I want
> to see if it is worth my time use a c-name instead of just the
> hostname itself, and whether restarts would be needed in the future.)
>
>
> Thank you for any responses.
>
> _________________________
> Alexander Kohr
> Unix Systems Administrator
> Temple University Health System
>
> Alexander.Kohr@tuhs.temple.edu<mailto:Alexander.Kohr@tuhs.temple.edu>
> 267-666-8341 (Corporate Cell)
>
>
> ________________________________
>
> This electronic message is intended to be for the use of the named recipient, and may contain information that is confidential or privileged. This communication may contain protected health information (PHI) that is legally protected from inappropriate disclosure by the Privacy Standards of the Health Insurance Portability and Accountability Act (HIPAA) and relevant Pennsylvania Laws. You can direct questions concerning PHI or HIPAA to the Corporate Compliance and Privacy Officer at (215) 707-5605. If you are not the intended recipient, please note that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error, you should notify the sender immediately by telephone or by return e-mail and delete and destroy all copies of this message.
> _______________________________________________
> rsyslog mailing list
> https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo
> /rsyslog__;!!MigbTO58FHE1!Y3UTxSEkiMqG1lcofQcjPc5Q0nsGha1OkLWVwnw4qOOh
> nx5eyl7aKFIFE3VoQCj55vq7PX4cNss$
> https://urldefense.com/v3/__http://www.rsyslog.com/professional-servic
> es/__;!!MigbTO58FHE1!Y3UTxSEkiMqG1lcofQcjPc5Q0nsGha1OkLWVwnw4qOOhnx5ey
> l7aKFIFE3VoQCj55vq7vHOBYp4$ What's up with rsyslog? Follow
> https://urldefense.com/v3/__https://twitter.com/rgerhards__;!!MigbTO58
> FHE1!Y3UTxSEkiMqG1lcofQcjPc5Q0nsGha1OkLWVwnw4qOOhnx5eyl7aKFIFE3VoQCj55
> vq7jixR11E$ NOTE WELL: This is a PUBLIC mailing list, posts are
> ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.