Getting Data In

How to set different host values on one udp port

920087764
Engager

Hi
I want to set different host value on udp 514 .
Events host values equals their IPs, so I want to change it to hostnames.
I configured the inputs.conf as below:

[udp://1.1.1.1:514]
host = SWITCH
connection_host = dns
sourcetype = syslog-Switch

[udp://2.2.2.2:514]
host = FIREWALL
connection_host = dns
sourcetype = syslog-FIREWALL

The sourcetype values change, but host values do not.

0 Karma

FrankVl
Ultra Champion
  1. As far as I know, you cannot configure multiple UDP inputs for the same port.
  2. your settings are confusing: you're hardcoding the host value to "SWITCH" or "FIREWALL", but also using connection_host = dns. What is it that you want to achieve?

If connection_host = dns is not resulting in having hostnames in the host field, but still results in IP addresses, are you sure the IP address can be resolved to a hostname using a reversed DNS lookup?

Also: do you have any configuration in place that might override the host field value using information from inside the events?

0 Karma

920087764
Engager

I removed connection_host = dns but result does not change.

as far as i checked, there was no configuration in place that override the host field value using events information.

0 Karma

FrankVl
Ultra Champion

I think the inputs.conf spec prescribes to set connection_host = none if you want to set the host using a host = setting.

0 Karma
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...