Configuration help

[nathanplatt]

Hi Everyone,

I'm just trailing LS and have a interesting issue, all my logs are coming from 169.254.1.1 (host) but the logsource is the server name! Can i sort this out? Also is there a way to add devices manually?

[cdienger]

Can you provide a screenshot to clarify the issue? It sounds like there may be an issue with the host getting the wrong IP - 169.254 addresses are usually assigned to machines when they aren't able to get an IP via DHCP. If this is the IP address assigned to the host and what it is logging then this is what NLS will parse. Does the server name resolve to a good IP via DNS lookup? If so, then NLS can be configured to do a lookup and get the right IP and I can provide steps for this if we can get some clarification.

Also, I'm not sure what you mean by adding devices manually. NLS does have details on configuring various devices if you point your browser to http://NLS_IP/nagioslogserver/configure/add-log-source. Is this what you're looking for?

[nathanplatt]

Okay so NLS is on a another site behind a VPN, the servers its connecting too have internal addresses and NAT Virtual IP's to the outside work, the ones giving the default addresses should with be 10.0.x.x or 31.x.x.x addresses

[cdienger]

A DNS filter should fix the problem as long as the NLS server is able to resolve the logsource value to an IP. Here are some filters that will save the original logsource value, resolve it to a IP, save the IP to the host field, and finally write the original logsource value back to the logsource filed.

Code: Select all

mutate {
         add_field => { "logsource_orig" => "%{logsource}" }
}

dns {
        resolve => [ "logsource" ]
}

update => { "host" => "%{logsource}" }

update => { "logsource" => "%{logsource_orig}" }

Configuring inputs and details on the filters are covered in the links below:

https://assets.nagios.com/downloads/nag ... ilters.pdf
https://www.elastic.co/guide/en/logstas ... s-dns.html
https://www.elastic.co/guide/en/logstas ... utate.html