Hi,
We're testing NLS right now. It's looking good and we would like to see FQDN instead of IP-address in the All Events page. I have tried it with the field Hostname, but this field only seems to be filled when it's a Windows Event, and not with Linux host. Do I need to configure something in NLS to get the hostname?
Tanks
FQDN instead of IP
Re: FQDN instead of IP
Narie,
You will be interested in the DNS filter: http://logstash.net/docs/1.4.2/filters/dns
When you enable the above filter and logs come in, Nagios Log Server will attempt to resolve the IPs to names via reverse DNS lookup. NLS can then re-write specified fields with FQDN instead of an IP.
You will likely want to define a filter similar to the following:
dns {
reverse => [ "host" ]
action => [ "replace" ]
add_tag => [ "dns" ]
}
I recommend trying it at the top of your filter list - as long as NLS can resolve properly, this should work:
You will be interested in the DNS filter: http://logstash.net/docs/1.4.2/filters/dns
When you enable the above filter and logs come in, Nagios Log Server will attempt to resolve the IPs to names via reverse DNS lookup. NLS can then re-write specified fields with FQDN instead of an IP.
You will likely want to define a filter similar to the following:
dns {
reverse => [ "host" ]
action => [ "replace" ]
add_tag => [ "dns" ]
}
I recommend trying it at the top of your filter list - as long as NLS can resolve properly, this should work:
You do not have the required permissions to view the files attached to this post.
Re: FQDN instead of IP
Thanks a lot for your answer. Do need to do anything else besides creating the filter?
In My Dashboard/All events I have just discovered that the fields Host and Logsource both give host information. However, Host shows IP-addresses, except for the localhost (logserver itfself), and Logsource only shows the proper hostname (not FQDN) in case it's a Linux host, but not with a Windows host. I would like to see the FQDN in the Host field. Is that possible at all? I have added an picture to clarify.
Another question. How can I see the logs being automatically updated (tail -f)?
In My Dashboard/All events I have just discovered that the fields Host and Logsource both give host information. However, Host shows IP-addresses, except for the localhost (logserver itfself), and Logsource only shows the proper hostname (not FQDN) in case it's a Linux host, but not with a Windows host. I would like to see the FQDN in the Host field. Is that possible at all? I have added an picture to clarify.
Another question. How can I see the logs being automatically updated (tail -f)?
You do not have the required permissions to view the files attached to this post.
Re: FQDN instead of IP
The filter that we created should do what you want it to do - we can see that 'localhost.localdomain' is resolved properly.
If you open up an alert, do you see the 'dns' tag being added? If the 'dns' tag is added, dns resolution has been attempted. Please ensure that Nagios Log Server is capable of resolving the FQDN's in question. You can test this from the command line.
Install DNS utilities:
Lookup a hosts FQDN:
Is resolution successful on the IP's your trying to resolve? Is the DNS tag being added properly? Let me know - thanks!
If you open up an alert, do you see the 'dns' tag being added? If the 'dns' tag is added, dns resolution has been attempted. Please ensure that Nagios Log Server is capable of resolving the FQDN's in question. You can test this from the command line.
Install DNS utilities:
Code: Select all
yum -y install bind-utilsCode: Select all
host 192.168.1.1You can see logs being updated from the Nagios Log Server -> Dashboard screen. From the CLI, there is no simple way to see Logstash output in plain text. It's more understandable from the GUI anywayAnother question. How can I see the logs being automatically updated (tail -f)?
You do not have the required permissions to view the files attached to this post.
Re: FQDN instead of IP
Thanks ever so much for your help. It turned out reverse lookup wasn't working properly, so I had to fix this first. The auto refresh option I overlooked in my Dashboard, but this works as well. Great! 
Now onto the next fase; checking out queries and other search functionalities.
Now onto the next fase; checking out queries and other search functionalities.
Re: FQDN instead of IP
We'll close this thread up now, but feel free to open another if you have any questions in the future.
Former Nagios employee