Unable to Show Fully Qualified Domain Name


(Greg Smith) #1

I have a problem with DNS resolution on Graylog 2.2
It’s running on CentOS 7, I’m only using one server at the moment so my Database and Elasticsearch is all on one virtual machine.

In my Source section it shows only the IP address not the fully qualified domain name.
What I have tried to do was the following;

I configured my Input with Force rDNS using port 5145, Global
No Joy.

Downloaded DNS Resolver Plugin for Graylog
https://github.com/Graylog2/graylog-plugin-dnsresolver/releases/download/1.1.2/graylog-plugin-dnsresolver-1.1.2.jar
Placed the file in the /plugin directory
Restart graylog service
Root # systemctl restart graylog-server
No joy

Added the following line to graylog configuration file
dns_resolver_enabled – Set to true
dns_resolver_run_before_extractors – Set to true
dns_resolver_timeout – set to 2s
Restarted graylog services
Root # systemctl restart graylog
No Joy

Reboot virtual machine
No Joy

Check my resolv.conf file for the correct DNS address, completed no problems.

The work around was configuring my /hosts file as follow;
xxx.xxx.xxx.xxx < fully qualified domain name>
Saved and restart network.

I have over 1000+ nodes and really don’t want to add everyone to my host file, is there something I’m missing? If so I would really appreciated any help.
Thanks in advance


(Jan Doberstein) #2

hej @gsmith

how did you send the logs over to Graylog? If the sending clients already know the DNS Name and use them in the log lines you do not need to make a DNS Call on Graylog.

regards
Jan


(Jochen) #3

Is reverse DNS working at all? Do all of your systems have valid PTR records?


(Greg Smith) #4

Hello jan
I’m using nxlog to send my logs to Graylog. Using port 5145 udp. Whats weird is I have 10 test VM’s in the lab all running windows server 2012 r2, the first three Vitural machines were find, no problems, but the rest did not come through. I was assuming that there was a bug. Thanks you for your reply


(Greg Smith) #5

Hello jochen
I think there is a problem in my reverse DNS. I was granted excess to our DC, and looking through the reverse records I found only one entry which is xxx.xxx.6.0 network. The machine that are on a different network xxx.xxx.2.0 & xxx.xxx.96.0 network are the ones that are not in the reverse lookup Zone. Perhaps this might be my problem. I will update when this is finish. Thank you for our help.


(Greg Smith) #6

I updated my PTR on the DNS server, Problem Solved


#7

Hello @gsmith

Sorry for my english. i’ve been in the same issue. i just downloaded the DNS Resolver plugin for Graylog, placed the file in the /plugin directory, added the lines to the configuration file, restart graylog service but there is no change. i don’t even see a way to make a configuration for the plugin. Can you explain me how you did to solve your problem please?

Thank you


(Greg Smith) #8

@sojip
I no longer use the DNS Plugin.
My environment we use 2 DNS server’s. I made sure that the PTR (Reverse look up) showed my graylog server and was configured as FQDN, and my Graylog server’s FQDN came through.