Re: [rsyslog] rsyslog does not forward logs to new IP address, when DNS A record is updated

Thu, 28 May 2020 12:09:15 -0700

rsyslog will leverage any DNS caching that the system does.   check for instances of nscd, and be aware that the dig utility does not consider any such cache.
it is also very important to understand that the DNS name is only used once, when the connection to the remote system is established.  if the log stream is steady enough so that the connection never goes away, then DNS could change any number of times behind the scenes and the open connection would neither know or care. 


if the connection did time out and go away, then the next time a packet 
came in and the connection to the remote host had to be re-established, 
a DNS lookup would occur and the new value used.  this is obviously the 
same thing that happens when you restart.


hope that helps,




On 5/28/20 9:31 AM, Olivia Nelson via rsyslog wrote:

Software version
---------------

I'm testing this behavior on CentOS 6, if it's already fixed I can
recompile and test a newer version:

# rpm -qa | grep rsyslog
rsyslog-5.8.10-10.el6_6.x86_64

Step to reproduce
---------------

Configured rsyslogd to forward logs to log1.example.com

*.* @log1.example.com:514

Create a test log with logger command

logger -t test RANDOM_STRING

And I confirm it's received on the remote host by grepping the files.

Then I change the DNS A record of log1.example.com to another IP, wait
for TTL to expire, and confirm the IP has changed with dig command.

If I execute the logger command again, the log is still sent to the
old IP address.

Conclusion
---------------

rsyslogd would never update the IP address, unless I manually restart
the rsyslog daemon. Is it by design?
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.



_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.





















					Reply via email to