[rsyslog] more 5.1.3 errors (fwd) / invalid fromhost

Rainer Gerhards rgerhards at hq.adiscon.com
Thu Aug 20 14:48:40 CEST 2009


> the second problem from my initial e-mail (and the one I mentioned in
> response to the 5.1.4 release) is pointed out by this portion of my
> initial e-mail
> 
> <29>Jul 31 21:33:39 methane1d-b plug-gw[13212]: connect host=
> /192.168.243.38 destination=179.50.100.130/11074
> 
> 192.168.210.245 192.168.210.245 methane1d-b
> 
> 
> in addition to not parsing the message correctly and putting the
> hostnmae
> in the syslogtag field, the fromhost is incorrect. this message could
> only
> have gotten here by being relayed from the .219 box. the log file on
> the
> .245 box (which logs *.* to messages) don't show anything like this,
> and
> the methane1d-b box doesn't have any networks in common with the .245
> box

Is there any possibility that *any* message was previously received from
.245? From what you said, I assume not. I am asking because the problem may
be related to the name lookup reuse technique (which re-uses the sender IP if
it is the same as with the last UDP packet). However, the problem can only be
rooted in that area if .245 is a valid sender at least at times.

I have also done a source code review right now, but I do not see any
suspicious. Will continue to try a little bit, but that one does probably
need to wait until we can do some debugging in your environment.

Rainer



More information about the rsyslog mailing list