Unable to Show Fully Qualified Domain Name

(Greg Smith) #1

I have a problem with DNS resolution on Graylog 2.2
It’s running on CentOS 7, I’m only using one server at the moment so my Database and Elasticsearch is all on one virtual machine.

In my Source section it shows only the IP address not the fully qualified domain name.
What I have tried to do was the following;

I configured my Input with Force rDNS using port 5145, Global
No Joy.

Downloaded DNS Resolver Plugin for Graylog
Placed the file in the /plugin directory
Restart graylog service
Root # systemctl restart graylog-server
No joy

Added the following line to graylog configuration file
dns_resolver_enabled – Set to true
dns_resolver_run_before_extractors – Set to true
dns_resolver_timeout – set to 2s
Restarted graylog services
Root # systemctl restart graylog
No Joy

Reboot virtual machine
No Joy

Check my resolv.conf file for the correct DNS address, completed no problems.

The work around was configuring my /hosts file as follow;
xxx.xxx.xxx.xxx < fully qualified domain name>
Saved and restart network.

I have over 1000+ nodes and really don’t want to add everyone to my host file, is there something I’m missing? If so I would really appreciated any help.
Thanks in advance

(Jan Doberstein) #2

hej @gsmith

how did you send the logs over to Graylog? If the sending clients already know the DNS Name and use them in the log lines you do not need to make a DNS Call on Graylog.


(Jochen) #3

Is reverse DNS working at all? Do all of your systems have valid PTR records?

(Greg Smith) #4

Hello jan
I’m using nxlog to send my logs to Graylog. Using port 5145 udp. Whats weird is I have 10 test VM’s in the lab all running windows server 2012 r2, the first three Vitural machines were find, no problems, but the rest did not come through. I was assuming that there was a bug. Thanks you for your reply

(Greg Smith) #5

Hello jochen
I think there is a problem in my reverse DNS. I was granted excess to our DC, and looking through the reverse records I found only one entry which is xxx.xxx.6.0 network. The machine that are on a different network xxx.xxx.2.0 & xxx.xxx.96.0 network are the ones that are not in the reverse lookup Zone. Perhaps this might be my problem. I will update when this is finish. Thank you for our help.

(Greg Smith) #6

I updated my PTR on the DNS server, Problem Solved