Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syslog tcp forwarding and DNS resolution

ng1p
Path Finder
‎11-22-2011 07:48 AM

I have setup my main syslog server to forward syslog via TCP port 514 to a test Splunk system running 4.2 that was upgraded from 4.1.7. The syslog data arrives fine and I can see it. The problem is that no DNS resoltion is happening. Here is an example of a log seen in splunk:

<4>Nov 22 10:28:00 10.10.10.100 kernel:

The 10.10.10.100 is a known host in DNS and does not resolve in Splunk. If I do a nslookup from the command prompt of the server running splunk it does resolve.

My input.conf is setup right as follows:
[tcp://514]
connection_host = dns
index = main
sourcetype = syslog

Doing a "tcpdump port 53" during a restart of Splunk I see that it never tried to resolve this ip address in the log "10.10.10.100". The address I do see Splunk resolving is the IP address of the syslog server sending the tcp syslog message. It was my understanding that Splunk should resolve IP's captured when doing tcp syslog forwarding not just the single IP of the forwarding syslog server.

Any help here?

Reply

Damien_Dallimor
Ultra Champion
‎11-29-2011 07:02 PM

The host field in the meta data for the syslog events will be the value of your forwarding server and this is is the field that connection_host=dns pertains to.

index=main sourcetype=syslog | dedup host | table host

If you are trying to resolve the IP address contained within the syslog message , then you will have to perform a host TRANSFORM to make the IP address in the message the value of the host field.

props.conf

[syslog]
TRANSFORMS-host = extract-host

transforms.conf

[extract-host]
DEST_KEY = MetaData:Host
REGEX  = #YOUR IP ADDRESS REGEX#
FORMAT = host::$1

Alternatively you could EXTRACT the IP address from the syslog message at searchtime and do a reverse DNS lookup.

Read here for how to do this

Reply

Damien_Dallimor
Ultra Champion
‎12-09-2011 07:56 PM

A real simple regex might be something like :

(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})

0 Karma
Reply

stefanlasiewski
Contributor
‎12-09-2011 02:50 PM

Damien, can you elaborate further? What would #YOUR IP ADDRESS REGEX# look like?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...