Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: RSyslog: users

DNS cache - where to find more information?

 

 

RSyslog users RSS feed   Index | Next | Previous | View Threaded


shaded4 at gmail

Jul 29, 2012, 7:13 AM

Post #1 of 3 (371 views)
Permalink
DNS cache - where to find more information?

Hi, we are using rsyslog 6.3.11.

From http://www.rsyslog.com/tag/dns-name-cache/, the DNS cache feature
appeared a year ago in v6.3.1.
Is there any further information somewhere on this feature, or any user
feedback? I can't find much online.

From limited testing of receiving messages from a small number of servers,
it seems to work OK so far, but:

a) The above page suggests the DNS entries in the cache never expire, so to
clear the cache I assume we would have restart the rsyslog service?
b) Will the DNS cache be robust enough for our system of ~10000 msgs/s from
hundreds of different servers?
c) Has anything changed for the DNS cache since 6.3.1?
The above webpage says "Implementation will be improved based on
feedback during the next couple of releases"
but I can't see any further mention of the DNS cache in subsequent
changelogs?
d) Is there any user feedback on the DNS cache in the past year? I can't
find much online.

From a), should I expect that rsyslog does only one DNS lookup per server
name while it's running?
But from my limited testing, sending a flood of messages from even a small
number of servers (e.g. 3 or 4)
already causes rsyslog to do DNS lookups for the same server name every now
an again (verified by tcpdump).
I can't quite put my finger on how often it does this, and whether it's a
concern,
so I'm hoping someone can help me?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


david at lang

Jul 29, 2012, 7:51 PM

Post #2 of 3 (329 views)
Permalink
Re: DNS cache - where to find more information? [In reply to]

On Mon, 30 Jul 2012, shaded 4 wrote:

> Hi, we are using rsyslog 6.3.11.
>
> From http://www.rsyslog.com/tag/dns-name-cache/, the DNS cache feature
> appeared a year ago in v6.3.1.
> Is there any further information somewhere on this feature, or any user
> feedback? I can't find much online.
>
> From limited testing of receiving messages from a small number of servers,
> it seems to work OK so far, but:
>
> a) The above page suggests the DNS entries in the cache never expire, so to
> clear the cache I assume we would have restart the rsyslog service?
> b) Will the DNS cache be robust enough for our system of ~10000 msgs/s from
> hundreds of different servers?
> c) Has anything changed for the DNS cache since 6.3.1?
> The above webpage says "Implementation will be improved based on
> feedback during the next couple of releases"
> but I can't see any further mention of the DNS cache in subsequent
> changelogs?
> d) Is there any user feedback on the DNS cache in the past year? I can't
> find much online.
>
> From a), should I expect that rsyslog does only one DNS lookup per server
> name while it's running?
> But from my limited testing, sending a flood of messages from even a small
> number of servers (e.g. 3 or 4)
> already causes rsyslog to do DNS lookups for the same server name every now
> an again (verified by tcpdump).
> I can't quite put my finger on how often it does this, and whether it's a
> concern,
> so I'm hoping someone can help me?

I think that it's been enhanced to try and do some smart retries based on
the TTL of the domain, but there has not been much in the way of comments
on it.

I normally disable DNS lookups, I'm either trusting the hostname in the
message, or I'm logging the IP address. The middle ground of trusting some
other nameserver to translate the IP address is usually not that useful
for me.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


rgerhards at hq

Jul 30, 2012, 12:20 AM

Post #3 of 3 (328 views)
Permalink
Re: DNS cache - where to find more information? [In reply to]

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of david [at] lang
> Sent: Monday, July 30, 2012 4:51 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] DNS cache - where to find more information?
>
> On Mon, 30 Jul 2012, shaded 4 wrote:
>
> > Hi, we are using rsyslog 6.3.11.
> >
> > From http://www.rsyslog.com/tag/dns-name-cache/, the DNS cache
> feature
> > appeared a year ago in v6.3.1.
> > Is there any further information somewhere on this feature, or any
> user
> > feedback? I can't find much online.
> >
> > From limited testing of receiving messages from a small number of
> servers,
> > it seems to work OK so far, but:
> >
> > a) The above page suggests the DNS entries in the cache never expire,
> so to
> > clear the cache I assume we would have restart the rsyslog service?
> > b) Will the DNS cache be robust enough for our system of ~10000
> msgs/s from
> > hundreds of different servers?
> > c) Has anything changed for the DNS cache since 6.3.1?
> > The above webpage says "Implementation will be improved based on
> > feedback during the next couple of releases"
> > but I can't see any further mention of the DNS cache in subsequent
> > changelogs?
> > d) Is there any user feedback on the DNS cache in the past year? I
> can't
> > find much online.
> >
> > From a), should I expect that rsyslog does only one DNS lookup per
> server
> > name while it's running?
> > But from my limited testing, sending a flood of messages from even a
> small
> > number of servers (e.g. 3 or 4)
> > already causes rsyslog to do DNS lookups for the same server name
> every now
> > an again (verified by tcpdump).
> > I can't quite put my finger on how often it does this, and whether
> it's a
> > concern,
> > so I'm hoping someone can help me?
>
> I think that it's been enhanced to try and do some smart retries based
> on
> the TTL of the domain, but there has not been much in the way of
> comments
> on it.

Long story short: no comments --> no changes
People seem to be either happy with the current state or not use it at all (but v6 adoption increases, so I tend to the "happy part"...

Currently no expiration, except (I think) on HUP and, of course, on restart.

Rainer
>
> I normally disable DNS lookups, I'm either trusting the hostname in the
> message, or I'm logging the IP address. The middle ground of trusting
> some
> other nameserver to translate the IP address is usually not that useful
> for me.
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

RSyslog users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.