I have a real need to insert a hostname into an event at collection\index time not at search time. Seeing that most of the IP's that I'm looking to resolve to hostnames change very frequently I need to capture the hostname and include it in the event when it is indexed. Does anyone know a way to do that? I looked at these articles but they don't seem to be helpful to do it at index time.
So basically a quick reverse DNS lookup and insert it into the event as a "hostname" field would be perfect. This will allow me to follow specific hosts and have information on every IP that host had.
Thanks,
-Ben
This is a 2-step process, because there are limited things you can do at index time and because we want to do as little as possible during index time for optimal performance. So without further ado, here goes:
I tried this method, doesn't take into consideration dynamic IP addressing (DHCP Scope) - I need the dns entry to be added at the time of index and remain fixed. Anyone else found a way around this? I assume it is possible to add a field at index time from a external dns lookup but haven't found a way to implement it....
Did you ever get this resolved? Have the same challenge and am not finding a solution
Nope - I was told its not possible. Only way to do it would be to get the forwarder to grab the host name and send it across as part of the event. Didn't end up doing it that way though.
Hi, did you find out how to do this? I'm having the same requirement.
In inputs.conf using connection_host = dns doesn't work for you?
This should set the host to the reverse DNS of the computer sending you data.
But doesn't that just give me the hostname of the computer that is sending me data? I would like hostname of the src_IP seen within the event, this will be different than the computer\appliance sending me the data.