Problem with Source field and FQDN

robrob · February 13, 2018, 7:06am

Im collecting dns, dhcp, event log form AD serwer an have problem with source field, dns and dhcp logs containt source field with out FQDN (Only hostname for example ad1), source field logs from event log it ok and containt hotname with FQDN for example ad1.local.corp, how to fix it ?

jan · February 13, 2018, 8:16am

hej rob

how you ingest the data to Graylog? That is where you need to ajust your settings. Another option would be to correct that field with a processing pipeline. A rule would look like:

rule "set Diskstation hostname"
when
 has_field("source") AND contains(to_string($message.source), "DiskStation")
then
 set_field("source", "diskstation.lan");
end

robrob · February 13, 2018, 8:21am

I am using nxlog ,

<Extension gelf>
    Module xm_gelf
</Extension>
<Input in>
    # For windows vista/2008 and above use:
    Module    im_msvistalog  
    
    #zbieramy logi błędy, krytycze, oraz wybrane zdarzenia tu wpisac id
    Exec if not ($Severity == 'ERROR' or $Severity == 'CRITICAL' or $EventID IN (624, 630, 631, 634, 635, 638, 658, \
   662, 4624, 4625, 4720, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4740, 4741, 4742, 4743, 4754, \
   4755, 4756, 4757, 4758, 4764, 4767)) drop(); 
   
    # For windows 2003 and earlier use the following:
    #   Module      im_mseventlog
</Input>

<Input dhcp_log1>
    Module im_file
    #scieżka do pliku na 64bit
    File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
    #na 32 bit
    #File 'C:\Windows\System32\dhcp\DhcpSrvLog*.log'

    # Co ile czytamy domyslenie co 1 sekunde jak trzeba mnie to tu mozna to zmienic   
    #PollInterval 1
    SavePos True
    ReadFromLast True
    Recursive False
    RenameCheck True
    CloseWhenIdle True
</Input>

<Input dns_log1>
    Module  im_file
    #scieżka do pliku na 64bit
    File "C:\\Windows\\Sysnative\\dns\\dns.log"
    #na 32 bit
    #File 'C:\Windows\System32\dns\dns.log'
    # Co ile czytamy domyslenie co 1 sekunde jak trzeba mnie to tu mozna to zmienic   
    #PollInterval 1
    SavePos True
    CloseWhenIdle True
    InputType LineBased
    #skopiowanie lini z dns.log do message bez ucinania do 64 znaków
    Exec $short_message = $raw_event;
</Input>

<Output out> 
    Module      om_udp
    Host        192.168.1.231
    Port        6514
    OutputType  GELF
</Output>

<Route 1>
    Path        dhcp_log1, dns_log1 , in => out
</Route>

jan · February 13, 2018, 8:53am

did you tried adding:

    Exec $Hostname = hostname_fqdn();

like suggested in the nxlog community?

https://nxlog.co/question/2212/nxlog-exec-hostname-hostnamefqdn-not-working

robrob · February 13, 2018, 8:57am

yes but this create field ‘hostname’ , does not overwrite source field

system · February 27, 2018, 8:57am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Domain name in source field Graylog Add-ons sidecar , nxlog , nodatanx	8	1470	November 16, 2021
Source Name Identification Graylog Central (peer support) pipeline-rules	10	5421	March 22, 2017
IIS site name in source field instead of hostname Graylog Central (peer support) sidecar , nxlog , nodatanx	4	1054	November 17, 2021
Rule to set source from field Graylog Central (peer support)	9	1465	October 28, 2022
Replacing the Name in the Source Field Graylog Central (peer support)	6	6306	November 8, 2019

Problem with Source field and FQDN

Related topics