Hi,
We have a fairly new install of Splunk 5.0.4, and i've now opened UDP:514 and the syslog is flowing in. The problem tho is that Splunk lists the hosts with theyr source IP adress instead of the real hostname.
The IPs are all resolveable in rDNS on the splunk server. I cant really find anything reasonable for this case in the manager section either.
What can cause this?
Hi Torgeirarnoy,
This would be the point you dive into the config files, specifically the inputs.conf where you have specified the UDP:514 input. You'll need to change the default 'connection_host' value (ip) to (dns).
[udp://514]
connection_host = dns
sourcetype = syslog
REF: http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Inputsconf
Hope this helps!
Hi Torgeirarnoy,
This would be the point you dive into the config files, specifically the inputs.conf where you have specified the UDP:514 input. You'll need to change the default 'connection_host' value (ip) to (dns).
[udp://514]
connection_host = dns
sourcetype = syslog
REF: http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Inputsconf
Hope this helps!
Worked perfectly. Thanks alot