No.of unique hosts have been increased

[lukedevon]

Hi

Could you please help me to understand the following;

I have integrated two external nodes with NLS. So I should be able to see 2 hosts under unique hosts. However I can see around 8 unique hosts instead of 2.

As I observed; One client IP having multiple instances.

For example --> client IP: some random port ()

Is this a configuration issue and are we able to fix this or is this completely normal?

Thank you
Luke.

[npolovenko]

Hello, @lukedevon. Could you send me a screenshot with the unique hostnames and specify the IP addresses of two hosts that you added? If you don't want to share this on the forum you can send it to me via private message. But please post something in this thread afterward to bring it back up in the support queue.
Thanks

[lukedevon]

Hi

I already PM you the screenshot. Hope it will help you to understand the concern.

Thank you
Luke.

[npolovenko]

@lukedevon, Thank you. Please click on one of the unique hosts in the list, then click on one of the events in the events table to expand it and send me a screenshot of the expanded fields and values. Particularly, I want to see the host field and its value.
Also, in the Log Server web interface go to the Configure menu, click on the Global Config menu in the left column. Then click on View -> All files combined. Copy all text to a text file and upload it.

[lukedevon]

Hi

I uploaded event logs for the particular host. I was not able to upload the other screen shot as the PM screen do not allow upload more than one content.

Thank you
Luke.

[npolovenko]

@lukedevon, Thank you. However, I'd be more interested to see a screenshot of the expanded event with the hostname on the screenshot. Because it will show how the hostname is being processed by the Logstah filters.
Also, in the Log Server web interface go to the Configure menu, click on the Global Config menu in the left column. Then click on View -> All files combined. Copy all text to a text file and upload it.
You can send me multiple messages with files, or put two files in a zip file and send me the zip file instead.

[lukedevon]

Hi ,

I uploaded the files.

Thanks
Luke.

[npolovenko]

@lukedevon, Thank you. We're thinking that RELP could be causing this problem.

relp {
type => 'syslog'
port => 5544
}

But to further troubleshoot this we'd like to see a screenshot of the event that came from one of the unique hosts(with a port address). Here is an example of what it should look like.

Untitled.png

Please click on one of the unique hosts in the list, then click on one of the events in the events table to expand it and send me a screenshot of the expanded fields and values.

[lukedevon]

Hi

I sent you the screenshot.

Thanks
Luke.

[npolovenko]

@lukedevon, I think I have a solution for you. Let's add a new Logstash filter. Go to the Configure menu, then click on Global Config in the left column. Then click on Add new filter.
Paste the following inside the filter:

grok {
match => { "host" => "%{IP:host}" }
overwrite => [ "host" ]
}

Hit save, and then Apply Confifguration in the top left column.

Untitled.png