Need to hard code host reported by Universal Forwa...

kollerj · ‎01-13-2016

Hello,

We are currently in the process of moving some of our hosts from Solaris to Windows. These hosts are part of Veritas clusters.

Currently, the Solaris hosts report the Veritas cluster name via the Universal Forwarder. We'd like to mimic this behavior within the Windows environment.

I've attempted multiple things, including updating the host entry within the inputs.conf file, to no avail. Splunk continues to report the physical host name of the server that the processes are running on.

Any idea how to hard code the host name that is reported to our aggregation server via the Universal Forwarder?

Thanks!

sgarvin55 · ‎02-18-2016

The value that changes the "server name" is under the server.conf file. Changing the name should be done in two places, inputs.conf and server.conf. The "host name" value is taken from the server, when the server was first created or changed at the OS level. There isn't a splunk config file that will change the "host name" value.
Second, the data coming from the UF, will have the "server name" when it reaches the indexer and can be searched by host="mlp-da02" as in the example above.

vasanthmss · ‎01-13-2016

Hi Kollerj,

Try to update like this,

$SPLUNK_HOME/etc/system/local/server.conf
[general]
serverName = <host_name>

$SPLUNK_HOME/etc/system/local/inputs.conf
[default]
host = <host_name>

Check your other inputs.conf from other apps have host entry or not? I guess the apps you are on-boarding or monitoring inputs.conf has older entry.

Or you can use the below CLI commands,

./splunk set servername <host>
./splunk set default-hostname <host>

For windows you need to update server.conf's general stanza with additional option

[general]
hostnameOption = <ASCII string>
* The option used to specify the detail in the server name used to identify
  this Splunk instance.
* Can be one of "fullyqualifiedname" , "clustername", "shortname"
* Is applicable to Windows only
* Shall not be an empty string

Ref: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf

Thanks,
V

V

vasanthmss · ‎01-14-2016

Restart the server after configure the host name to see the changes. Accept the answer if it solves your issue.

V

kollerj · ‎01-14-2016

Hi vasanthmss,

Thanks for the response.

Unfortunately, this did not resolve the issue. I see that both the inputs.conf and server.conf were updated to mlp-da02 by following your CLI commands -- I restarted both the forwarder as well as our central server, to no avail -- it is still reporting as xmlspap2x.

server.conf:
[sslConfig]
sslKeysfilePassword = X

[general]
pass4SymmKey = X
serverName = mlp-da02

[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder

[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free

inputs.conf:
[default]
host = mlp-da02

splunkd.log:
01-14-2016 10:43:59.734 -0800 INFO ServerConfig - My server name is "mlp-da02".
01-14-2016 10:43:59.734 -0800 INFO ServerConfig - Found no site defined in server.conf
01-14-2016 10:43:59.734 -0800 INFO ServerConfig - Found no hostname options in server.conf. Will attempt to use default for now.
01-14-2016 10:43:59.734 -0800 INFO ServerConfig - Host name option is "".
01-14-2016 10:43:59.734 -0800 INFO ServerConfig - My hostname is "XMLSPAP2X".
01-14-2016 10:43:59.749 -0800 INFO ServerConfig - Setting HTTP server compression state=on
01-14-2016 10:43:59.749 -0800 INFO ServerConfig - Setting HTTP client compression state=0 (false)
01-14-2016 10:43:59.749 -0800 INFO ServerConfig - Default output queue for file-based input: parsingQueue.

Any other thoughts?

Thanks,

Jason

vasanthmss · ‎01-14-2016

Are you positive you have updated in system local? Restart the service and check once...
Use btool command to check your inputs and server conf

V

vasanthmss · ‎01-14-2016

I got you..... in windows you need to add another parameter for host name in server.conf

[general]
hostnameOption = <ASCII string>
* The option used to specify the detail in the server name used to identify
  this Splunk instance.
* Can be one of "fullyqualifiedname" , "clustername", "shortname"
* Is applicable to Windows only
* Shall not be an empty string

Updating previous answer with this option

V

kollerj · ‎01-15-2016

Hi Vasanthmss,

What do you think this option needs to be set to? I don't have any environment variables that match "mlp-da02" so I'm not sure which one I'd use. Do you know where it pulls each name from?

Thanks,

Jason

vasanthmss · ‎01-15-2016

Honestly I never tried it. You can try one by one....

V

kollerj · ‎01-18-2016

Unfortunately, none of the options got me what I was looking for.

01-18-2016 12:37:52.014 -0800 INFO ServerConfig - Host name option is "shortname".
01-18-2016 12:37:52.014 -0800 INFO ServerConfig - My hostname is "xmlspap2x".

01-18-2016 12:32:28.343 -0800 INFO ServerConfig - Host name option is "fullyqualifiedname".
01-18-2016 12:32:28.343 -0800 INFO ServerConfig - My hostname is "xmlspap2x.lsas.ca.kp.org".

01-18-2016 12:35:06.332 -0800 INFO ServerConfig - Host name option is "clustername".
01-18-2016 12:35:06.332 -0800 INFO ServerConfig - My hostname is "xmlspap2x".

An other ideas?

Thanks,

Jason

vasanthmss · ‎01-15-2016

Is that helped?

V

somesoni2 · ‎01-13-2016

The host change in the inputs.conf will only change the host metadata for the events being monitored. You can change host name in the server.conf as well to change host property for internal logs.

Need to hard code host reported by Universal Forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?