Hi,
My forwarder is forwarding messages from a private subnet to our splunk indexer.
Here's an example of what I'm getting:
3:57:04.000 PM
Mar 5 15:57:04 10.150.XXX.XXX logmgr: ID = 516 : Tue Mar 5 15:53:59 2013 : Audit : Log : minor : root : Set : object = "/SP/alertmgmt/rules/testalert" : value = "true" : success
host=10.150.XXX.XXX Options|
sourcetype=udp:514 Options|
source=udp:514 Options
What I'd like is for the hostname to be resolved.
On the forwader I can resolve the IP address to a hostname:
$ host 10.150.XXX.XXX
XXX.XXX.150.10.in-addr.arpa domain name pointer XXXXX-ilom.university.ac.uk.
I had a look at the splunk documentation and tried the instructions here to try and get around the problem:
http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsfromexternaldatasources
In summary I made the following changes to the quoted files ensured there was also a copy of each in /opt/splunk/etc/apps/SplunkForwarder/local and restarted splunk but it didn't work.
In /opt/splunk/etc/system/local/props.conf
Added the 2 bottom lines to the access_combined section:
[access_combined]
pulldown_type = true
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
LOOKUP-dns = dnsLookup host OUTPUT ip AS clientip
LOOKUP-rdns = dnsLookup ip AS clientip OUTPUTNEW host AS hostname
In /opt/splunk/etc/system/local/transforms.conf
Changed to the following 2 lines in the dns_lookup section
external_cmd = external_lookup.py host ip
fields_list = host, ip
Does anyone have any ideas what I'm doing wrong?
Many Thanks, Maria
Here's the answer for those who need it.
In /opt/splunk/etc/system/local/inputs.conf
you need:
[udp://514]
connection_host=dns
The thing that threw me for ages was you need the 514, whithout it you would expect it would do for all, but for some reason it does not!!!!
Here's the answer for those who need it.
In /opt/splunk/etc/system/local/inputs.conf
you need:
[udp://514]
connection_host=dns
The thing that threw me for ages was you need the 514, whithout it you would expect it would do for all, but for some reason it does not!!!!
Sorry, thought I'd done that!!!!
mark it as answered 😉