Find out which hosts are sending logs

I want to find out all hosts (Azure VMs) which are sending log data to GrayLog/Elastic. Is it possible to get the ip address of the host. I used the query below and its giving me the hostname. Unfortunatelly this is overwritten by some admins and does not show me the VM name in Azure.
Is it possible to extract the IP address of the VM sending logs?

Graylog: 2.1.3
Elasticsearch: 2.4.4

My query:
curl --silent -XGET ‘XX.XXX.XX.XX:9200/_all/_search?pretty=true’ -H ‘Content-Type: application/json’ -d ’
“size”: “0”,
“aggregations”: {
“uniq_hosts” : {
“terms”: {“field”: “source”, “size”: 1000}

Does the Sources menu option not give you what you need?

he @kai_poitschke

that can one be answered if you knew what and how you ingest the data. Because it could be only be seen if the logs contain that information.

Hello AdamC,
yes, the sources it returns the same information as my query above. As said, the problem is that on some machines the hostname is overwritten and not the same as the one used in Azure.
Thats the reason why I like to get to the ip address.

The app logs do not have this information.
Isn’t logstash or graylog add some additional information?

Isn’t logstash or graylog add some additional information?

I’ll highlight this again without the knowledge how you ingest, the answer is - sometimes.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.