topic Re: How to set different host values on one udp port in Getting Data In

How to set different host values on one udp port

920087764 — Tue, 15 May 2018 09:20:06 GMT

Hi
I want to set different host value on udp 514 .
Events host values equals their IPs, so I want to change it to hostnames.
I configured the inputs.conf as below:

[udp://1.1.1.1:514]
host = SWITCH
connection_host = dns
sourcetype = syslog-Switch

[udp://2.2.2.2:514]
host = FIREWALL
connection_host = dns
sourcetype = syslog-FIREWALL

The sourcetype values change, but host values do not.

Re: How to set different host values on one udp port

FrankVl — Tue, 15 May 2018 11:13:07 GMT

As far as I know, you cannot configure multiple UDP inputs for the same port.
your settings are confusing: you're hardcoding the host value to "SWITCH" or "FIREWALL", but also using connection_host = dns. What is it that you want to achieve?

If connection_host = dns is not resulting in having hostnames in the host field, but still results in IP addresses, are you sure the IP address can be resolved to a hostname using a reversed DNS lookup?

Also: do you have any configuration in place that might override the host field value using information from inside the events?

Re: How to set different host values on one udp port

920087764 — Wed, 16 May 2018 05:46:40 GMT

I removed connection_host = dns but result does not change.

as far as i checked, there was no configuration in place that override the host field value using events information.

Re: How to set different host values on one udp port

FrankVl — Wed, 16 May 2018 07:20:15 GMT

I think the inputs.conf spec prescribes to set connection_host = none if you want to set the host using a host = setting.