How to set different host values on one udp port

920087764 · ‎05-15-2018

Hi
I want to set different host value on udp 514 .
Events host values equals their IPs, so I want to change it to hostnames.
I configured the inputs.conf as below:

[udp://1.1.1.1:514]
host = SWITCH
connection_host = dns
sourcetype = syslog-Switch

[udp://2.2.2.2:514]
host = FIREWALL
connection_host = dns
sourcetype = syslog-FIREWALL

The sourcetype values change, but host values do not.

FrankVl · ‎05-15-2018

As far as I know, you cannot configure multiple UDP inputs for the same port.
your settings are confusing: you're hardcoding the host value to "SWITCH" or "FIREWALL", but also using connection_host = dns. What is it that you want to achieve?

If connection_host = dns is not resulting in having hostnames in the host field, but still results in IP addresses, are you sure the IP address can be resolved to a hostname using a reversed DNS lookup?

Also: do you have any configuration in place that might override the host field value using information from inside the events?

920087764 · ‎05-15-2018

I removed connection_host = dns but result does not change.

as far as i checked, there was no configuration in place that override the host field value using events information.

FrankVl · ‎05-16-2018

I think the inputs.conf spec prescribes to set connection_host = none if you want to set the host using a host = setting.

How to set different host values on one udp port

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off