==============

gshah · ‎04-20-2010

Server is running 4.1.

This does not seem to be an issue for default udp (that is, udp/514) messages.

[udp://9514]
disabled = false
sourcetype = cisco_syslog
index = udp9514
connection_host = dns

Received syslog messages retain their IP address and not get switched to hostname.

jrodman · ‎04-20-2010

This should work the same for both. Can you please review the output of splunk cmd btool inputs list

mayler · ‎04-20-2010

Just checked my data input (because i'm doing the same thing) and turns out...there is a radio button for DNS.

Navigate to Admin/Manager..whatever (from web ui), Data Inputs, UDP, Your UDP 515 or other port, make sure "Set Host" has DNS selected.

mayler · ‎04-20-2010

I think that the system hosting splunk needs to be configured to do dns lookups for this new port. I could be wrong...but check this out:

options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (yes); use_fqdn (yes); use_time_recvd (yes); create_dirs (yes); keep_hostname (yes); };

==============

SOURCES

==============

source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); # udp(ip(0.0.0.0) port(514)); };

source s_net { udp(ip(0.0.0.0) port (514)); };

This is from my syslog-ng.conf file. Maybe adding the following will help?

source s_net { udp(ip(0.0.0.0) port (515)); };

hostname from non-default udp input does not get converted into DNS entry ...

==============

SOURCES

==============

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio