Syslog Migration – Handling FQDNs During Migration from Syslogd to Syslog-NG

linuxslessyslog

I'm migrating from syslogd to syslog-ng on SLES 9 server (syslog-ng at stock version 1.6.8). The server happens to be a loghost for some remote loggers.

How do I configure syslog-ng to assure maximum compatibility with syslogd behavior when it comes to the hostname printed in logs? There are some custom scripts to analyze the logs and those probably depend on hostnames to stay the same. Some of them have been reported as FQDNs by syslogd, and if they would become stripped now, name collision would surely occur.

By the way, I haven't used syslogd -s or -l options to strip FQDNs.

Snapshot of my current research on syslog-ng options (update: this is incorrect, see my self-answer):

options {
        check_hostname(yes);    # invalid chars?
        keep_hostname(yes);     # yes - if there is a hostname embedded in the message, it will
                                #   be kept without overwrite/append
                                #   see https://lists.balabit.hu/pipermail/syslog-ng/2002-August/003669.html
                                #   note: RFC3164 allows either short hostname or IP, no FQDN

        use_dns(yes);           # if there is no hostname embedded in the message, try DNS

        use_fqdn(no);           # do not try to expand everything to FQDN? strip all FQDNs? strip only DNS-resolved FQDNs?
                                # old syslogd behaviour (?): use embedded hostname, print fqdn (strip only local
                                #   domain + strip "-s" domains + strip domains for "-l" hosts)

        chain_hostnames(no);    # if keep_hostname(no) or hostname not embedded, attach (rather than assign)
                                #   hostname/IP of *sender*; same as long_hostnames(off)

        sync(0);                # sync immediately
};

I found syslog-ng manuals to be somewhat inadequate.

Best Answer

Self-answer. It seems to be impossible to imitate syslogd behavior. After a lot of experiments, I provide updated snapshot of my research/guesses on syslog-ng options:

options {
        #####################################################################
        ### the flow of decisions for hostnames, syslog-ng 1.6.8:

        use_dns(yes);           # yes = first resolve the IP in $HOST_FROM (the message sender)

        keep_hostname(no);      # no = ignore $HOST embedded in the message (rare); overwrite $HOST with $HOST_FROM
                                #   note: RFC3164 allows embedding short hostname or IP, not FQDN

        use_fqdn(yes);          # yes = expand everything to FQDN, including local name
                                # Note syslogd behaviour is incompatible: use FQDN, but strip local
                                #   domain + strip "-s" domains + strip domains for "-l" hosts

        chain_hostnames(no);    # no = keep $FULLHOST same as $HOST; 
                                #   do not expand $FULLHOST into either "src@$HOST" for localhost, 
                                #   or to "$HOST/$HOST_FROM" for remote client

        #long_hostnames(no);    # synonym of chain_hostnames

        ### with default template, the resulting $FULLHOST is written to log
        #####################################################################

        check_hostname(yes);    # invalid chars?

        sync(0);                # sync immediately
};

I've found out that messages from my remote systems probably do not have hostname embedded, and this causes keep_hostname to be of no use.

Related Topic