Getting Data In

Change hostname

Communicator

Hello All,

I have several devices on our network that has one interface/IP address in our DMZ and a management IP address in a securecell. We use the management IP address to send syslogs to a syslog-ng server. Issue I have is that a Qualys scan of our DMZ network shows the DMZ IP address/hostname. So when I run a search for data from dmz-sys-1 in Splunk we do not find it cause the data is collected on mgmt-sys-1.

So I was thinking of using props.conf and transforms.conf to rename the hostname of all 20 of these devices from mgmt-sys-x to dmz-sys-x.

Here is what I was thinking for props.conf

[cisco:asa]
TRANSFORMS-hostname = mgmt-sys-01,mgmt-sys-02,mgmt-sys-03,mgmt-sys-04     

And the transforms.conf

 [mgmt-sys-01]
 hostname = dmz-sys-01

 [mgmt-sys-02]
 hostname = dmz-sys-02

 [mgmt-sys-03]
 hostname = dmz-sys-03

 [mgmt-sys-04]
 hostname = dmz-sys-04

Would that work?

0 Karma

SplunkTrust
SplunkTrust

dmz hostname is getting logged in events?
If it is then you can extract that using field extractions and then run a search based on that field. give sample event if you don't know how to extract it.

0 Karma

Legend

Hi edwardrose,
do you want to permanently modify logs or do you want to display the correct host at search time?
because in the first case you can use SEDCMD command,
if instead you don't want to permanently modify logs (sometimes it is not allowed) you can use a regex to override hostname value:

| rex field=hostname "mgmt-sys-(?<hostname>dmz-sys-\d+)"

Bye.
Giuseppe

0 Karma

Communicator

Hello Giuseppe,

I would like to permanently change the hostname.

Thanks
ed

0 Karma

Legend

In this case, put in props.conf the following stanza

[cisco:asa]
SEDCMD-hostname = s/mgmt-sys-/dmz-sys-/g

Bye.
Giuseppe

0 Karma

Communicator

Hello Giuseppe,

So I wasn't exactly specific with the hostnames of the network devices.

the management hostname is like the following

amywanra1
tokwanra1
wvwanra1
wvwanra2

And the DMZ hostname is like the following
vpn-inn
vpn-wv1
vpn-wv2
vpn-hsi

So I am not certain how to make these work properly, except with the example that I used in my original post.

0 Karma

Legend

Hi edwardrose,
if you have a situation not so schematic as you showed in the main post, maybe the best solution is ingest logs without transformation (or with only the simple ones) and then managing the transformation at search time, creating a lookup that contains the original hostname and the new one, then you can create an automatic lookup so you'll have the new value.
Bye.
Giuseppe

0 Karma

Legend

Hi edwardrose,
if you're satisfied by this answer, please accept and/or upvote it.

Bye, see next time.
Giuseppe

0 Karma

Motivator

Hello @edwardrose

I think this can be achieved through SEDCMD command. And also I think it better to replace mgmt with dmz only. No need to do any other changes.

The below type of configuration will work for you (props.conf)
[cisco:asa]
SEDCMD-hostname = s/mgmt/dmz/g

0 Karma

Communicator

Hello @vishaltaneja07011993

So I wasn't exactly specific with the hostnames of the network devices.

the management host name is like the following

amywanra1
tokwanra1
wvwanra1
wvwanra2

And the DMZ hostname is like the following
vpn-inn
vpn-wv1
vpn-wv2
vpn-hsi

So I am not certain how to make these work properly, except with the example that I used in my original post.

0 Karma

Motivator

@edwardrose

Then there is two options:
1. To right SEDCMD for each value differently like:
SEDCMD-hostname = s/amywanra1/vpn-inn/g
SEDCMD-hostname1 = s/tokwanra1/vpn-wv1/g

  1. Do it at search time using lookups. That will also look the same with Automatic Lookup.
0 Karma