Forums: SplunkAdministration: Wrong Host Reported

Previous Topic: Load issues  |   Next Topic: Strip appended date from source


Posts 1–8 of 8  |  Post to this topic
1
ASW3382's Mugshot posted by: ASW3382  |  posts
date: July 9, 2008
permalink

I have logs coming from a syslog-ng client on a X.X.30.111 address. which an nslookup will show the correct DNS info. My SPLUNK server resides on a X.X.10.X network and shows the host as the gateway for that subnet. I dont have this problem anywhere else. If I ping looks good, nslookup loos good, PTR records look good. The client uses a different DNS server and that is about it but the Hostname it is reporting as is in my local dns not the one the client is using so somehow Splunk has to be reporting the name wrong but I cannot figure out why.

2
ASW3382's Mugshot posted by: ASW3382  |  posts
date: July 9, 2008
permalink

sorry that post was clear as mud, let me simplify. X.X.30.111 with a fqdn as www.domain.tld, but splunk reports it as fortigate10.domain.tld in the logs.

SPLUNK reports host = fortigate10.domain.tld

From SPLUNK server:

ping fortigate10.domain.tld
reply from X.X.10.254

nslookup fortigate10.domain.tld
Server: DNS.domain.tld
Address: X.X.10.107

Name: fortigate10.domain.tld
Address: X.X.30.111

ping X.X.30.111
reply from X.X.30.111

nslookup X.X.30.111
Server: dns.domain.tld
Address: 192.168.10.107

Name: www.domain.tld
Address: 192.168.30.111

3
ASW3382's Mugshot posted by: ASW3382  |  posts
date: July 9, 2008
permalink

oops, that nslookup for fortigate10 should look like:
Server: DNS.domain.tld
Address: X.X.10.107

Name: fortigate10.domain.tld
Address: X.X.10.254

4
araitz's Mugshot posted by: araitz  |  posts
date: July 9, 2008
permalink

Not sure that this is a Splunk problem - we get that from rdns the first time we receive data from the host. You can use host tags to associate the wrong name with a tag of the right one.

5
ASW3382's Mugshot posted by: ASW3382  |  posts
date: July 9, 2008
permalink

If I tag it then What happens when my fortigate sends logs then? As I showed above my PTR records are good. Is there a way to turn off resolution for this IP? I would really like to be able to distinguish in my logs the difference between my firewall and my webserver.

6
araitz's Mugshot posted by: araitz  |  posts
date: July 9, 2008
permalink

I can't really account for why it is seeing your host as such. I will see if there is a good way to keep it from doing so going forward.

7
ASW3382's Mugshot posted by: ASW3382  |  posts
date: July 11, 2008
permalink

Any movement on this araitz? I doublechecked my DNS settings just to be sure and cant find any weirdness. Does splunk lookup the PTR record or does it just go off of what the host tells it? Knowing that would help my troubleshooting.

8
araitz's Mugshot posted by: araitz  |  posts
date: July 23, 2008
permalink

So I haven't been able to reproduce this or find any reason why Splunk would mess this up. As a result, I really feel like this has something to do with a bad reverse DNS record, hosts record, or other naming problem.

Post to this topic

You must be logged in to post a reply.










close

Flash required to play this video.

Click here to download the free Flash Player.

Description:

Permalink: