One of my devices is not showing its hostname in Graylog 3.2.2 but its IP. It is an ASA device that has been configured exactly as all my other cisco ASA that works correctly i.e. showing their hostname rather than IP addresses.
The only difference I can think of is that the device has been configured to send log before the corresponding entry in DNS was added. So for the first few logs coming in for that device the Graylog server was not able to resolve the host.
Now DNS and reverse DNS entries are configured correctly for that host and I have verified that the Graylog server can indeed DNS resolve that host both ways. However the logs front that host still come unresolved
Anyone know a way to force Graylog to resume query DNS for that host? Once a device is known as an IP does it mean that it will always be known as is?
Please note that I only have this problem with this one particular host and I have red the following posts with no clear steering
If you are talking about the ‘source’ field being set as the IP address instead of the hostname that will be due to the host providing that in the logs.
AFAIK, Graylog does not perform DNS resolution in order to populate the ‘source’ field with a hostame/FQDN. Graylog will populate the ‘source’ field with whatever the value is that the host provides in its logs.
If you are talking about the ‘source’ field being set as the IP address instead of the hostname that will be due to the host providing that in the logs.
Are you sure about this? I have configured all my ASA the same way and they all show up as full DNS name and those devices have no knowledge of the domain (FQDN) they are in.
There must be some resolution going on here otherwise how would you explain all the other devices showing their source as FQDN?
Another things I am thinking of if that all logs are coming from rsyslog on the same box i.e. it is rsyslog that is forwarding all log to graylog so I might look in there to see if it’s not rsyslog the issue
Not for the source field no. That is populated with data parsed out of the received log message.
Out of curiosity… Why are you forwarding the logs to an rsyslog server on the GL host and then forwarding to an input on Graylog? Why not just send the logs directly into an input in GL?
Out of curiosity… Why are you forwarding the logs to an rsyslog server on the GL host and then forwarding to an input on Graylog? Why not just send the logs directly into an input in GL?
Because:
My graylog skills are low
Could not start input for port lower than 1024 i.e. 514 and didn’t want to poke with the system
I would have to reconfigure all hosts (still achievable but some work)
I have just added . @@locahost:1514;RSYSLOG_SyslogProtocol23Format at the end of my /etc/rsyslog.conf file and job done.
Do you think it is a bad setup?
I used to think that is was bad setup but now I realized that rsyslog do the DNS resolution I start to think that it is good because I can see the meaningful FQDN as source in the logs rather than IP address and this without customizing anything in graylog.
The downside of it is that I have double logs on the devices (hight disk usage) which is partially under control in rsyslog via logrotate.
I would configure your systems to log their hostnames properly and have them send directly into a Graylog input. The extra rsyslog part is just unnecessary.
I will consider this seriously. Another reason was if for any reason graylog breaks (configuration, upgrades etc…) you still have access to rsyslog. So it might be that once the graylog peaople skills become better we will move out from rsyslog and build a full redundant graylog solution.
PS: I have solved my original problem by restarting rsyslog so I assume it was doing some caching.
