Getting Data In

hostname from non-default udp input does not get converted into DNS entry ...

gshah
Engager

Server is running 4.1.

This does not seem to be an issue for default udp (that is, udp/514) messages.

[udp://9514]
disabled = false
sourcetype = cisco_syslog
index = udp9514
connection_host = dns

Received syslog messages retain their IP address and not get switched to hostname.

Tags (1)

jrodman
Splunk Employee
Splunk Employee

This should work the same for both. Can you please review the output of splunk cmd btool inputs list

mayler
Path Finder

Just checked my data input (because i'm doing the same thing) and turns out...there is a radio button for DNS.

Navigate to Admin/Manager..whatever (from web ui), Data Inputs, UDP, Your UDP 515 or other port, make sure "Set Host" has DNS selected.

0 Karma

mayler
Path Finder

I think that the system hosting splunk needs to be configured to do dns lookups for this new port. I could be wrong...but check this out:

options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (yes); use_fqdn (yes); use_time_recvd (yes); create_dirs (yes); keep_hostname (yes); };

==============

SOURCES

==============

source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); # udp(ip(0.0.0.0) port(514)); };

source s_net { udp(ip(0.0.0.0) port (514)); };

This is from my syslog-ng.conf file. Maybe adding the following will help?

source s_net { udp(ip(0.0.0.0) port (515)); };

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...