Re: Change hostname

edwardrose · ‎01-23-2019

Hello All,

I have several devices on our network that has one interface/IP address in our DMZ and a management IP address in a securecell. We use the management IP address to send syslogs to a syslog-ng server. Issue I have is that a Qualys scan of our DMZ network shows the DMZ IP address/hostname. So when I run a search for data from dmz-sys-1 in Splunk we do not find it cause the data is collected on mgmt-sys-1.

So I was thinking of using props.conf and transforms.conf to rename the hostname of all 20 of these devices from mgmt-sys-x to dmz-sys-x.

Here is what I was thinking for props.conf

[cisco:asa]
TRANSFORMS-hostname = mgmt-sys-01,mgmt-sys-02,mgmt-sys-03,mgmt-sys-04

And the transforms.conf

 [mgmt-sys-01]
 hostname = dmz-sys-01

 [mgmt-sys-02]
 hostname = dmz-sys-02

 [mgmt-sys-03]
 hostname = dmz-sys-03

 [mgmt-sys-04]
 hostname = dmz-sys-04

Would that work?

mayurr98 · ‎01-24-2019

dmz hostname is getting logged in events?
If it is then you can extract that using field extractions and then run a search based on that field. give sample event if you don't know how to extract it.

gcusello · ‎01-24-2019

Hi edwardrose,
do you want to permanently modify logs or do you want to display the correct host at search time?
because in the first case you can use SEDCMD command,
if instead you don't want to permanently modify logs (sometimes it is not allowed) you can use a regex to override hostname value:

| rex field=hostname "mgmt-sys-(?<hostname>dmz-sys-\d+)"

Bye.
Giuseppe

edwardrose · ‎01-24-2019

Hello Giuseppe,

I would like to permanently change the hostname.

Thanks
ed

gcusello · ‎01-24-2019

In this case, put in props.conf the following stanza

[cisco:asa]
SEDCMD-hostname = s/mgmt-sys-/dmz-sys-/g

Bye.
Giuseppe

edwardrose · ‎01-24-2019

Hello Giuseppe,

So I wasn't exactly specific with the hostnames of the network devices.

the management hostname is like the following

amywanra1
tokwanra1
wvwanra1
wvwanra2

And the DMZ hostname is like the following
vpn-inn
vpn-wv1
vpn-wv2
vpn-hsi

So I am not certain how to make these work properly, except with the example that I used in my original post.

gcusello · ‎01-24-2019

Hi edwardrose,
if you have a situation not so schematic as you showed in the main post, maybe the best solution is ingest logs without transformation (or with only the simple ones) and then managing the transformation at search time, creating a lookup that contains the original hostname and the new one, then you can create an automatic lookup so you'll have the new value.
Bye.
Giuseppe

gcusello · ‎07-31-2019

Hi edwardrose,
if you're satisfied by this answer, please accept and/or upvote it.

Bye, see next time.
Giuseppe

vishaltaneja070 · ‎01-23-2019

Hello @edwardrose

I think this can be achieved through SEDCMD command. And also I think it better to replace mgmt with dmz only. No need to do any other changes.

The below type of configuration will work for you (props.conf)
[cisco:asa]
SEDCMD-hostname = s/mgmt/dmz/g

edwardrose · ‎01-24-2019

Hello @vishaltaneja07011993

So I wasn't exactly specific with the hostnames of the network devices.

the management host name is like the following

amywanra1
tokwanra1
wvwanra1
wvwanra2

And the DMZ hostname is like the following
vpn-inn
vpn-wv1
vpn-wv2
vpn-hsi

So I am not certain how to make these work properly, except with the example that I used in my original post.

vishaltaneja070 · ‎01-25-2019

@edwardrose

Then there is two options:
1. To right SEDCMD for each value differently like:
SEDCMD-hostname = s/amywanra1/vpn-inn/g
SEDCMD-hostname1 = s/tokwanra1/vpn-wv1/g

Do it at search time using lookups. That will also look the same with Automatic Lookup.

Change hostname

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM