VMware Cloud Community
HansdeJongh
Enthusiast
Enthusiast

Reverse DNS

Hello,

I have 2 os's that im monitoring. Both are resovable

But within vcenter log insight only one shows up as a source with the DNS name and the other one with its IP address.


What am i doing wrong?

Regards

Hans

Reply
0 Kudos
31 Replies
admin
Immortal
Immortal

Hi Hans,

For the os whose source shows up as an IP, do all messages from that os have an IP as source field? Or is there a mix of IP and DNS name. In particular pay attention to more recent messages.

Jon

Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

well this is bizar... since 13:00 (5 minutes after i posted this message) it started to show up with the dns name.
There havent been a single ip as source message anymore......

Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

hmm i might have logged in to the shell and did a nslookup / reversed for the dns / ip address... around that time

Reply
0 Kudos
admin
Immortal
Immortal

Hi Hans,

Actually it is a known issue where when using UDP, the first message arriving from a remote source may get an IP source tag instead of a DNS name. Thanks for taking the time to report - helps us find issues like this.

Can you mark this as answered? Thanks,

Jon

Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

yes i know of that.

but we are talking about 100.000 messages with souce=ip and then suddenly it changed to source=dns

Reply
0 Kudos
sflanders
Commander
Commander

You mentioned both are resolvable. How did you verify this? It's possible that the virtual appliance was unable to resolve the IP originally and later it could.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

nope, but let me chekc something i have an ip which hasnt got a dns name yet. Ill give it one now. How fast before the appliance should show it as the source?

Reply
0 Kudos
sflanders
Commander
Commander

In most cases, if the source was not in DNS and then was added, the change should be as soon as the DNS change propagates through the DNS servers (i.e. as soon as Log Insight is able to resolve the IP).

Just to confirm, this is for the source field and not the hostname field right?

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

well i tried that this afternoon, i added a source in DNS. its still not being resolved.

Yes we are talking about the source field.

Reply
0 Kudos
sflanders
Commander
Commander

The worst case scenario is that the DNS change takes 24 hours to propagate to Log Insight. Can you see if the results change once 24 hours has passed?

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

we`ll know tomorrow:)

Reply
0 Kudos
sflanders
Commander
Commander

Have you confirmed you can perform a reverse lookup of the IP from the Log Insight virtual appliance?

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

yes i can

Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

im messing up something i think.

Its the hostname field and not the source field

Reply
0 Kudos
sflanders
Commander
Commander

OK, this makes sense then. Log Insight only attempts to resolve the source field of events and not the hostname. If the hostname is/was IP and now is/was FQDN then this typically indicates a configuration change on the originator of the event or a configuration change on a syslog aggregator if applicable. Syslog agents can be configured to send the hostname field as either IP or FQDN. Syslog agents may also look at settings such as those defined in /etc/hostname and/or /etc/hosts when starting to determine how to set the hostname field.

What OS and what syslog agent are you using? Is it possible a configuration change occurred?

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

not that im aware of, let me check that...

Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

im loosing oversight:) to many cases at the same time. I have to lift this over the weekend and check again on monday..

Reply
0 Kudos
sflanders
Commander
Commander

no problem, let me know what you find and have a great weekend!

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

im loosing it completely now.

Check my next post.

Reply
0 Kudos