On Mar 21, 2007, at 11:19 AM, Chris Waltham wrote:
Okay, so I've tried this a little more and I'm still having issues. This is the message that I see in splunk:
Mar 21 11:15:36 172.16.1.172 cwaltham: [ID 702911 user.notice] pphtestad1
172.16.1.172 is, of course, the source address (in this case, a Solaris box) of a machine sending its syslog messages to an OS X 10.4.9 box (regular, not Server). And yet:
[root@osx log]# host 172.16.1.172
172.1.16.172.in-addr.arpa domain name pointer pphtestad1.pressherald.com.
[root@osx log]# host pphtestad1.pressherald.com
pphtestad1.pressherald.com has address 172.16.1.172
See what I mean? It maketh no senseth :-\ This is with and without an entry in /etc/hosts.
Are you sure it isn't a config issue in Splunk?
"Whether to do a reverse DNS lookup on the IP address of any connecting client in order to set the host::parameter of events. The default is true. If false, the module will set host:: to the IP address."
...but then says:
"By default, this module will set the value of host:: to be the IP address of the host that transmitted the event.
If useDNSForHost is set to True, the module will perform a reverse DNS lookup on the IP address. If the address resolves to a hostname, it will set that value instead."
I haven't used Splunk (yet - am checking it out) so I don't know which is correct - but it seems to be a contradiction...
This is an excellent point, Fred, thanks. However, I'm not sure if it will affect me or not. I'm using /var/log/system.log as an input source for Splunk, which is where some remote syslog messages are collected from other servers. However, I don't know if Splunk is smart enough to say "Hey, that syslog entry has an IP address at the start of it, I'll try and resolve it to DNS" or not. Because it's actually OS X's syslog that's only seeing the IP address, and not Splunk itself, means I may be SOL.
