converting IP addresses into hostnames

Everything related with getting rsyslog up and running (but not beyond that point ;))

Moderator: rgerhards

Google Ads


converting IP addresses into hostnames

Postby skendric » Fri Dec 09, 2016 6:47 pm

Most of my devices send their hostname in the syslog message.
2016-12-05T04:09:51-08:00 bh-dc-isi1-11 snmpd[41181]: sysctlbyname(kern.file) failed: Cannot allocate memory


But some send their IP address instead.
2016-12-05T04:38:12 10.20.30.17 Environment: Lost the local network management interface-to-integrated Environmental Monitor (Universal I/O at Port 1) communication

I would like rsyslogd to translate IP addresses into hostnames before writing to the message to a file.

What are my options for doing this?

--sk
skendric
New
 
Posts: 4
Joined: Tue Dec 06, 2016 8:36 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: converting IP addresses into hostnames

Postby dlang » Fri Dec 09, 2016 11:46 pm

There is currently not a function to do a name lookup, but if you are on the first machine that receives the logs, there are the $fromhost-ip and $fromhost variables.

fromhost-ip is the ip that the logging packets arrived from, fromhost is a name lookup of that IP

you can then use a custom template to replace $hostname with $fromhost when you send or write the log.
dlang
Frequent Poster
 
Posts: 946
Joined: Mon Sep 15, 2008 7:44 am

Re: converting IP addresses into hostnames

Postby skendric » Mon Feb 27, 2017 11:55 pm

Thank you for the tips.

For posterity, here is what I did
/etc/rsyslog.conf:

Code: Select all
template(name="ReplaceIPWithHostname" type="list") {
    property(name="timestamp" dateFormat="rfc3339")
    constant(value=" ")
    property(name="fromhost")
    constant(value=" ")
    property(name="syslogtag")
    property(name="msg" spifno1stsp="on" )
    property(name="msg" droplastlf="on" )
    constant(value="\n")
    }


/etc/rsyslog.d/50-default.conf:
Code: Select all
#
# Log most stuff.  But if the host sends its IP address instead of its hostname, then replace the IP address with the hostname
#
if re_match($hostname, '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}') then
 {
  *.info;local4.none                    /var/log/syslog;ReplaceIPWithHostname
  stop
}
*.info;local4.none                              /var/log/syslog
skendric
New
 
Posts: 4
Joined: Tue Dec 06, 2016 8:36 pm

Google Ads



Return to Installation

Who is online

Users browsing this forum: No registered users and 0 guests

cron