[rsyslog] DNS lookups in rsyslog v5

Chris McCraw cmccraw at newrelic.com
Thu Feb 23 02:42:56 CET 2012

Hi list,

Longtime user, first time optimizer of rsyslog.  Here's my situation:

We just upgraded a machine that gets a ridiculous amount of log
traffic from one IP (our load balancer)--firehose levels, hundreds of
MB/minute.  This machine also takes logs of a few dozen low-traffic
servers on the same subnet.  With the upgrade from v4.6.2 to v5.8.5,
we gained UDP Multiruleset binding, yay!  We've moved all of our
logging via the firehose from TCP to UDP, because the TCP logging was
very fragile and would simply stop if the rsyslog restart for log
rotation took a microsecond too long.

Logging works great.  Our nameserver load shot way up, because it
seems our TCP-only 4.6.2 setup was not doing a DNS lookup for every
message...yet using the same file (with the addition of the UDP
ruleset binding) with v5.8.5 and -c5 instead of -c4 on the command
line for rsyslog has changed the lookup behavior of rsyslog, and named
is spinning constantly, presumably on the same host name.

Any pointers to the docs on how to mitigate this?  We're open to any
number of solutions (hopefully not including upgrading to v6)--put all
hostnames in /etc/hosts, for instance.  Since the firehose is all
bound to specific files anyway, those logs don't even need DNS
lookups--we know exactly where they come from.  We don't want to turn
off DNS entirely if we can avoid it, but we could partition into
"normal port 514 tcp traffic gets lookups and other port UDP traffic
doesn't".  I'm guessing there is more than one way to do this =)

Thanks for your advice!

More information about the rsyslog mailing list