Server is running 4.1.
This does not seem to be an issue for default udp (that is, udp/514) messages.
[udp://9514] disabled = false sourcetype = cisco_syslog index = udp9514 connection_host = dns
Received syslog messages retain their IP address and not get switched to hostname.
This should work the same for both. Can you please review the output of splunk cmd btool inputs list
Just checked my data input (because i'm doing the same thing) and turns out...there is a radio button for DNS.
Navigate to Admin/Manager..whatever (from web ui), Data Inputs, UDP, Your UDP 515 or other port, make sure "Set Host" has DNS selected.
I think that the system hosting splunk needs to be configured to do dns lookups for this new port. I could be wrong...but check this out:
options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (yes); use_fqdn (yes); use_time_recvd (yes); create_dirs (yes); keep_hostname (yes); };
source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); # udp(ip(0.0.0.0) port(514)); };
source s_net { udp(ip(0.0.0.0) port (514)); };
This is from my syslog-ng.conf file. Maybe adding the following will help?
source s_net { udp(ip(0.0.0.0) port (515)); };