Page 1 of 1
FQDN instead of IP
Posted: Thu Apr 23, 2015 7:18 am
by Narie
Hi,
We're testing NLS right now. It's looking good and we would like to see FQDN instead of IP-address in the All Events page. I have tried it with the field Hostname, but this field only seems to be filled when it's a Windows Event, and not with Linux host. Do I need to configure something in NLS to get the hostname?
Tanks
Re: FQDN instead of IP
Posted: Thu Apr 23, 2015 10:42 am
by jolson
Narie,
You will be interested in the DNS filter:
http://logstash.net/docs/1.4.2/filters/dns
When you enable the above filter and logs come in, Nagios Log Server will attempt to resolve the IPs to names via reverse DNS lookup. NLS can then re-write specified fields with FQDN instead of an IP.
You will likely want to define a filter similar to the following:
dns {
reverse => [ "host" ]
action => [ "replace" ]
add_tag => [ "dns" ]
}
I recommend trying it at the top of your filter list - as long as NLS can resolve properly, this should work:
2015-04-23 10_41_04-Instance Configuration • Nagios Log Server.png
Re: FQDN instead of IP
Posted: Fri Apr 24, 2015 3:42 am
by Narie
Thanks a lot for your answer. Do need to do anything else besides creating the filter?
In My Dashboard/All events I have just discovered that the fields Host and Logsource both give host information. However, Host shows IP-addresses, except for the localhost (logserver itfself), and Logsource only shows the proper hostname (not FQDN) in case it's a Linux host, but not with a Windows host. I would like to see the FQDN in the Host field. Is that possible at all? I have added an picture to clarify.
Another question. How can I see the logs being automatically updated (tail -f)?
Re: FQDN instead of IP
Posted: Fri Apr 24, 2015 9:57 am
by jolson
The filter that we created should do what you want it to do - we can see that 'localhost.localdomain' is resolved properly.
If you open up an alert, do you see the 'dns' tag being added?
2015-04-24 09_52_40-Dashboard • Nagios Log Server.png
If the 'dns' tag is added, dns resolution has been attempted. Please ensure that Nagios Log Server is capable of resolving the FQDN's in question. You can test this from the command line.
Install DNS utilities:
Lookup a hosts FQDN:
Is resolution successful on the IP's your trying to resolve? Is the DNS tag being added properly? Let me know - thanks!
Another question. How can I see the logs being automatically updated (tail -f)?
You can see logs being updated from the Nagios Log Server -> Dashboard screen. From the CLI, there is no simple way to see Logstash output in plain text. It's more understandable from the GUI anyway
Re: FQDN instead of IP
Posted: Sat Apr 25, 2015 4:35 pm
by Narie
Thanks ever so much for your help. It turned out reverse lookup wasn't working properly, so I had to fix this first. The auto refresh option I overlooked in my Dashboard, but this works as well. Great!
Now onto the next fase; checking out queries and other search functionalities.
Re: FQDN instead of IP
Posted: Mon Apr 27, 2015 8:55 am
by tmcdonald
We'll close this thread up now, but feel free to open another if you have any questions in the future.