Short hostnames appear as IP address

mhaverkamp — Tue, 05 Jul 2011 19:02:17 GMT

I have a problem where I can not find syslog messages for certain hosts based on the "host" field. e.g. the search host="h1" returns no results for my system with the hostname h1. If I search for simply "h1", I can find the results I want. But I notice then that the "host" field is showing the IP address of h1, rather than h1 as it should. Through experimentation, I have found that this happens for any host where the host name is 2 characters or less. Any host name that is at least 3 characters long works.

Looking at the transforms.conf file, I think I see the likely causes in the following regular expressions:

[syslog-host] DEST_KEY = MetaData:Host
REGEX =
:\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)*[?(\w[\w.-]{2,})]?\s
FORMAT = host::$1

[syslog-host-full] DEST_KEY =
MetaData:Host REGEX =
^[^:]\d\d:\d\d:\d\d[^:]?\s((\d+.\d+.\d+.\d+)|(\w[\w.-]{2,})(?=\s+[^\s:]+:))
FORMAT = host::$1

In both cases, the "{2,}" seems to force a 3 character or greater host name before these expressions will match. This seems like an arbitrary limit. Could these be changed to "{1,}" or even "{0,}" to allow 2 or 1 character hostnames?

Re: Short hostnames appear as IP address

Mick — Tue, 05 Jul 2011 21:41:18 GMT

The quick answer is yes, you can modify the settings in the .../default/transforms.conf by creating a stanza of the same name in the `...local/transforms.conf' file.

The default settings are based on what we expect syslog data to look like but it's not going to match every possible format out there. Just remember than any changes you make to files in the default directories may get overwritten on an upgrade, so make sure you always make your changes in the local directory.

topic Re: Short hostnames appear as IP address in Getting Data In

Short hostnames appear as IP address

Re: Short hostnames appear as IP address