Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Syslog tcp forwarding and DNS resolution

ng1p
Path Finder
‎11-22-2011 07:48 AM

I have setup my main syslog server to forward syslog via TCP port 514 to a test Splunk system running 4.2 that was upgraded from 4.1.7. The syslog data arrives fine and I can see it. The problem is that no DNS resoltion is happening. Here is an example of a log seen in splunk:

<4>Nov 22 10:28:00 10.10.10.100 kernel:

The 10.10.10.100 is a known host in DNS and does not resolve in Splunk. If I do a nslookup from the command prompt of the server running splunk it does resolve.

My input.conf is setup right as follows:
[tcp://514]
connection_host = dns
index = main
sourcetype = syslog

Doing a "tcpdump port 53" during a restart of Splunk I see that it never tried to resolve this ip address in the log "10.10.10.100". The address I do see Splunk resolving is the IP address of the syslog server sending the tcp syslog message. It was my understanding that Splunk should resolve IP's captured when doing tcp syslog forwarding not just the single IP of the forwarding syslog server.

Any help here?

Reply

Damien_Dallimor
Ultra Champion
‎11-29-2011 07:02 PM

The host field in the meta data for the syslog events will be the value of your forwarding server and this is is the field that connection_host=dns pertains to.

index=main sourcetype=syslog | dedup host | table host

If you are trying to resolve the IP address contained within the syslog message , then you will have to perform a host TRANSFORM to make the IP address in the message the value of the host field.

props.conf

[syslog]
TRANSFORMS-host = extract-host

transforms.conf

[extract-host]
DEST_KEY = MetaData:Host
REGEX  = #YOUR IP ADDRESS REGEX#
FORMAT = host::$1

Alternatively you could EXTRACT the IP address from the syslog message at searchtime and do a reverse DNS lookup.

Read here for how to do this

Reply

Damien_Dallimor
Ultra Champion
‎12-09-2011 07:56 PM

A real simple regex might be something like :

(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})

0 Karma
Reply

stefanlasiewski
Contributor
‎12-09-2011 02:50 PM

Damien, can you elaborate further? What would #YOUR IP ADDRESS REGEX# look like?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...