Getting Data In

forwarder used to forward multiple tcp ports

ralphw_SAIC
Path Finder

I have an indexer that is using two forwarders to get logs. These forwarders are forwarding other forwarders in their zone. One of these forwarders is also setup to forward syslogs from an appliance.

The indexer also receives syslogs from one of these appliances. The problem I have is that the logs coming from the local appliance resolves the name while the logs coming through the forwarder from the remote appliance does not and only sees the host as an IP. Now the forwarder is also forwarding logs from other forwarders, but they resolve their names.

Any idea?

0 Karma

ralphw_SAIC
Path Finder

Found the answer in inputs.conf. Setting connection_host = dns fixed my issue.

0 Karma

acharlieh
Influencer

There seems to be quite a bit here and I'm not sure that I'm parsing it all completely, are asking about host being set on syslog data? Are you sending syslog directly to Splunk or are you sending it to a syslog server? (Good blog post on this topic: www.georgestarcher.com/splunk-success-with-syslog/ ). Are you using sourcetype=syslog (which out of the box reads and sets the host name from data contained in each log entry itself at index time (specifically when the data goes through the regexreplacement processor which happens usually on an Indexer or on a Heavy Forwarder depending on your architecture) ?

0 Karma

ralphw_SAIC
Path Finder

i have an universal forwarder that is being used to feed logs both from other universal forwarders and appliances using syslog. the forwarders are using port x and the appliances are using port y. this is allowing me to send them to seperate indexes. the inputs.conf file on the main forwarder have port y as sourcetype syslog.

i have some appliances being sent directly to the indexer with no problems. the issue going through the forwarder is that it does not resolve the host name, just the IP.

here is what I see in the splunk logs (it shows the hostname, just not under host 😃 :
<166>2015-10-26T11:53:49.001Z aaaaa.bbbb.com Hostd: [FFC81B70 info 'Hostsvc.DvsTracker' opID=hostd-f801 user=vpxuser] FetchUplinkDVPortgroups: added 4 items

host = 111.222.333.444
source = tcp:1514
sourcetype = syslog

here is my inputs file on the forwarder:
[tcp://y]
sourcetype = syslog
index = appliances

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...