Find out which hosts are sending logs

kai_poitschke · June 12, 2019, 12:52pm

Hello,
I want to find out all hosts (Azure VMs) which are sending log data to GrayLog/Elastic. Is it possible to get the ip address of the host. I used the query below and its giving me the hostname. Unfortunatelly this is overwritten by some admins and does not show me the VM name in Azure.
Is it possible to extract the IP address of the VM sending logs?

Using:
Graylog: 2.1.3
Elasticsearch: 2.4.4

My query:
curl --silent -XGET ‘XX.XXX.XX.XX:9200/_all/_search?pretty=true’ -H ‘Content-Type: application/json’ -d ’
{
“size”: “0”,
“aggregations”: {
“uniq_hosts” : {
“terms”: {“field”: “source”, “size”: 1000}
}
}
}’

AdamC · June 13, 2019, 5:19am

Does the Sources menu option not give you what you need?

jan · June 13, 2019, 8:30am

he @kai_poitschke

that can one be answered if you knew what and how you ingest the data. Because it could be only be seen if the logs contain that information.

kai_poitschke · June 13, 2019, 11:16am

Hello AdamC,
yes, the sources it returns the same information as my query above. As said, the problem is that on some machines the hostname is overwritten and not the same as the one used in Azure.
Thats the reason why I like to get to the ip address.

kai_poitschke · June 13, 2019, 11:17am

The app logs do not have this information.
Isn’t logstash or graylog add some additional information?

jan · June 13, 2019, 12:53pm

Isn’t logstash or graylog add some additional information?

I’ll highlight this again without the knowledge how you ingest, the answer is - sometimes.