Hello,
I have 2 os's that im monitoring. Both are resovable
But within vcenter log insight only one shows up as a source with the DNS name and the other one with its IP address.
What am i doing wrong?
Regards
Hans
Source is who sent the event to Log Insight. Hostname is the originator of the event. If the originator of the event is sending directly to Log Insight then the source and hostnames fields should be the same, which they are in your use-case. Source is resolved through DNS via Log Insight while hostname is whatever the source sends it as. In your case, it appears the source and hostname are always the same and they are changing between IP and FQDN. The time range of the delta appears to be 24 hours.
Can you go ahead and generate a support bundle and upload it per the directions here: http://kb.vmware.com/kb/1008525 (create a folder called hansdejongh)
yes but let me also check splunk cause it gets the same events...
in splunk the host is always an ip. uploading them now.
uploaded
I am not sure how splunk handles source/hostname fields, but I suspect it is different than Log Insight.
hee Sander,
were you able to take a look at the files that i have uploaded? I updated to TP2 and still have the same issue. My sources show up as an ip while they are resolvable by the appliance
OK, the example images you sent - what is the source? Are the events in valid syslog format? If the source and hostname are the same and are switching the same way then that usually means that the event is not in syslog format and more specifically is missing the hostname field. In that case, Log Insight uses the source as the hostname. As for why the source is changing, I would guess DNS issue. The easiest way to test this is to wait until events are coming in as IP and then confirm you can resolve the IP on the Log Insight virtual appliance. Once successful, restart the Log Insight process. This will clear the DNS cache. Log Insight will then do a lookup for the IP and should display it as an FQDN.
Just following up, were you able to get this addressed?
