Re: Host Field is Using the Old Hostname

ibraheem · ‎07-11-2024

Hi,

I'm facing an issue with 5 hosts, recently we change the hostname of these machines but it is not reflected in the host field, in the host field the old hostname is shown.

Below is a sample log:

"LogName=Security

EventCode=4673

EventType=0

ComputerName=A0310PMTHYCJH15.tnjhs.com.pk

host = A0310PMNIAMT05 source = WinEventLog:Security sourcetype = WinEventLog "

We are receiving logs from these windows hosts through UF and I checked the apps deployed in these hosts and checked the inputs.conf, hostname field is not defined.

The new hostname is shown in the logs in the field ComputerName.

Any suggestions to this problem would be appreciated.

ibraheem · ‎07-11-2024

Logs are landing directly from UF to indexers

ibraheem · ‎07-11-2024

In the newly ingested events, the old hostname is used in the host field, the new hostname is shown in the ComputerName field

PickleRick · ‎07-11-2024

That is indeed strange. Do you have TA_windows installed on your receiving end?

ibraheem · ‎07-11-2024

Yes, we have TA_windows installed. I've checked this add-on for hostname/host field in inputs.conf, but this field does not exist

PickleRick · ‎07-11-2024

Are you sending directly from your UF to indexer(s)? Or do you have a HF somewhere in the middle?

PickleRick · ‎07-11-2024

Are you talking about the old events or the newly ingested ones?

Host Field is Using the Old Hostname

fields

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?