How to find ip address of the source


#1

Hello, We have a single instance of Graylog . Currently the devices that are sending logs to our Graylog server are showing up by their hostname which is fine. But we are in middle of an investigation and need to find or co-relate hostname of a source with an ip-address. How can i find ip-address of the source that’s sending the message ? The source device in question are Windows 7/10 systems. Also, the device under investigation is a new windows system which has not been seen before & that is why we need to track down its ip.

Also is there a way to enable hostname & ip-address both in the messages for all sources ? Windows Event Viewer by default only has a system hostname written in events for it to forward to syslog server.

We have tried nslookup, ping etc but that device is no longer active on our network so we are relying on graylog for this.

Thanks


#2

The gl2_remote_ip field is probably what you’re looking for. It’s a hidden field by default, but you can view it with these steps:

  1. At the bottom of the list of field (in the right pane), click “all fields” in the line that says “List fields of current page or all fields”
  2. Check the box for the “gl2_remote_ip” field

Edit: You might not always have this field available: Issue with gl2_remote_ip


#3

Thank you Calebh. I wish it was more easier or Graylog had that enabled by default. . You saved us a lot of time


(Jan Doberstein) #4

this field shows the IP that has send the data - what is not in all cases the system that has produced the entries …

You could enrich your messages with a lookup against the internal dns to get the IP - for example.


#5

Thanks Jan. That helps too. On a quick note, does graylog by default refer to an internal DNS server for populating hostnames of the sources to show in the Web UI or does it do that based off the content that it sees in the incoming logs from a device?
During our investigation , I was looking for ways to check internal DNS cache of the Graylog ubuntu VM but looks like nscd package is not installed so there wouldn’t be any dns cache created.

Thanks in advance,


(Jan Doberstein) #6

What input did you use? With syslog you can use this:

04

For most other inputs the information are taken out of the message itself.


(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.