Management
Highlighted
Management

syslog to a FQDN duplicates all messages by number of DNS records...

‎03-11-2020 02:20 PM

I'm using papertrail to send syslog events, and ran across something weird: When I set it up as a FQDN, I get as many duplicated events as the amount of IPs in the DNS record. eg: 

 

% dig logs.papertrailapp.com                        [0]

; <<>> DiG 9.10.3-P4-Debian <<>> logs.papertrailapp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1299
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;logs.papertrailapp.com.                IN      A

;; ANSWER SECTION:
logs.papertrailapp.com. 3395    IN      A       169.46.82.162
logs.papertrailapp.com. 3395    IN      A       169.46.82.163
logs.papertrailapp.com. 3395    IN      A       169.46.82.164
logs.papertrailapp.com. 3395    IN      A       169.46.82.165

;; Query time: 22 msec
;; SERVER: 10.100.0.1#53(10.100.0.1)
;; WHEN: Wed Mar 11 15:17:04 MDT 2020
;; MSG SIZE  rcvd: 104

And with my config: 

host logs.papertrailapp.com {
    any notice;
    authorization info;
    firewall info;
    port XXXXX; 
}

I'll get 4 messages in papertrail for every 1 event sent by the MX.  

 

If I replace "logs.papertrailapp.com" with an IP address, then it works as expected and I get just 1 message per event. Normally systems will fetch DNS records of a domain and pick just one IP to use... Is this by design for Juniper to use all DNS records? 

2 REPLIES 2
Highlighted
Management

Re: syslog to a FQDN duplicates all messages by number of DNS records...

‎03-11-2020 04:59 PM

Hi EchoB, 

 

I hope you are doing great!

 

Instead of configuring DNS-name as host, can you configure any of the IP addresses of the remote host(IPv4 or IPv6) in the syslog host configuration then it will help avoid duplicate syslog messages.

 

Pablo

 

Highlighted
Management

Re: syslog to a FQDN duplicates all messages by number of DNS records...

‎03-12-2020 03:47 AM

That's what I ended up doing. Ideally I should be able to use a FQDN, in case IPs change or something else happens. Is it expected behavior of the MX to send to all DNS records for a domain? 😕 

Feedback