Source address is showing as ip address insted of hostname (Name)


(Suneelhegde03) #1

Hi Team,

I am sending my firewall and load balancer logs to graylog server, firewall logs are fine we are receiving source as firewall name. but netscaler load balancer logs are showing with the IP address if we check in the logs in the source it’s showing the IP address.
what is the change we have to do if we want to receive it as a name?
we are using inputs 514 UDP port.


I have attached the screenshot that shows firewall logs are coming with name and the load balancer is coming with the IP address.

Thanks
Suneelkumar V R


#2

Hi

Usually Graylog put the IP instead the source if it can’t parse the syslog message.
You can check the message two ways. with TCPdump, or set “store full message” under your input.
Usually the timestamp is in incorrect format, so the graylog can’t recognize it.

If you can’t change the logformat on your load balancer, you can set extractor or pipeline rule to change the IP to hostname,

M


(Suneelhegde03) #3

Hi,

Can you please help me how can I do this " you can set extractor or pipeline rule to change the IP to hostname,"

Thanks
SR


#4

You can create extractor to overwrite the hostname from the message field.
http://docs.graylog.org/en/2.4/pages/extractors.html
OR you can make a pipeline rule to overwrite the source based on the current ip in source field
docs.graylog.org/en/2.4/pages/pipelines/pipelines.html


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.