[rsyslog] more 5.1.3 errors (fwd) / invalid fromhost

[david at lang.hm]

On Thu, 20 Aug 2009, Rainer Gerhards wrote:

>> the second problem from my initial e-mail (and the one I mentioned in
>> response to the 5.1.4 release) is pointed out by this portion of my
>> initial e-mail
>>
>> <29>Jul 31 21:33:39 methane1d-b plug-gw[13212]: connect host=
>> /192.168.243.38 destination=179.50.100.130/11074
>>
>> 192.168.210.245 192.168.210.245 methane1d-b
>>
>>
>> in addition to not parsing the message correctly and putting the
>> hostnmae
>> in the syslogtag field, the fromhost is incorrect. this message could
>> only
>> have gotten here by being relayed from the .219 box. the log file on
>> the
>> .245 box (which logs *.* to messages) don't show anything like this,
>> and
>> the methane1d-b box doesn't have any networks in common with the .245
>> box
>
> Is there any possibility that *any* message was previously received from
> .245? From what you said, I assume not. I am asking because the problem may
> be related to the name lookup reuse technique (which re-uses the sender IP if
> it is the same as with the last UDP packet). However, the problem can only be
> rooted in that area if .245 is a valid sender at least at times.

yes, .245 is a valid sender (in fact, in the main set of mssages I sent 
initilly all the messages from .245 are legit)

all of the sources listed in the config do send messages (for each pair, 
one is the active relay sending hundreds to thousands of messages/sec 
while the other is the backup, sending a handful per min)

> I have also done a source code review right now, but I do not see any
> suspicious. Will continue to try a little bit, but that one does probably
> need to wait until we can do some debugging in your environment.

understood. I may try to go in over the weekend and setup this sort of 
test.

David Lang

> Rainer
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>