I have an RHEL 4 server that is running a syslog daemon for a firewall. It was configured a few days ago. Today I've noticed a massive increase in the amount of DNS requests coming from the server in question going out to its only configured DNS server. These of course are logged by the firewall and dumped onto the firewall log on the system.

I stopped or killed every service on the machine that wasn't related the OS, still with no luck. I also removed the -r switch from the /etc/sysconfig/syslog file so nothing could write to the server. Still, no luck. Then, I commented out the entry in resolv.conf for the nameserver and poof, the DNS requests ceased, as expected.

I then turned on all of the services that I disabled and uncommented the resolv.conf file, and all was good, no large increase in DNS requests, so I thought I was good. I then remembered that I had syslog still "disabled" so I changed the syslog conf file to allow writing, and the firewall and the associated log began flooding with DNS requests again.

Can anyone please tell me if syslog attempts to resolve every address that's written to it, and if so, is there a way to disable that feature? Is there another piece of the puzzle I'm missing? I don't need any addresses resolved, and there's nothing but IP addresses in the logs, so if it is trying to resolve anything, it's not working.

Thanks in advance...

I found the problem. Syslog does indeed by default try to resolve IP's in log entries when they are written to the server using the -r flag. The -x flag cancels this option.

just an FYI...

as another option: If the number of systems sending syslog messages to the box is small, and you don't mind a little static DNS config (which has to be kept updated as you move/rename machines)

you can reenable the syslog resolve feature and put the hosts into the /etc/hosts file on your machine running the syslog daemon. This is useful if you need the hostnames in your log files (perhaps so they makes sense years later? dunno what your using them for), without the penalty of banging on the DNS server.

-c

Thanks for the reply CC. The firewall in question is behind two other layers of firewalls, and I know the IP's of the boxes that would hit it, so resolution isn't really necessary. Thanks for the tip though. Much appreciated...