VMware Cloud Community
HansdeJongh
Enthusiast
Enthusiast

Reverse DNS

Hello,

I have 2 os's that im monitoring. Both are resovable

But within vcenter log insight only one shows up as a source with the DNS name and the other one with its IP address.


What am i doing wrong?

Regards

Hans

Reply
0 Kudos
31 Replies
HansdeJongh
Enthusiast
Enthusiast

pastedImage_0.png

Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

pastedImage_0.png

Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

pastedImage_0.png

Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

pastedImage_0.png

Reply
0 Kudos
sflanders
Commander
Commander

Source is who sent the event to Log Insight. Hostname is the originator of the event. If the originator of the event is sending directly to Log Insight then the source and hostnames fields should be the same, which they are in your use-case.  Source is resolved through DNS via Log Insight while hostname is whatever the source sends it as. In your case, it appears the source and hostname are always the same and they are changing between IP and FQDN. The time range of the delta appears to be 24 hours.

Can you go ahead and generate a support bundle and upload it per the directions here: http://kb.vmware.com/kb/1008525 (create a folder called hansdejongh)

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

yes but let me also check splunk cause it gets the same events...

Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

in splunk the host is always an ip. uploading them now.

Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

uploaded

Reply
0 Kudos
sflanders
Commander
Commander

I am not sure how splunk handles source/hostname fields, but I suspect it is different than Log Insight.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
HansdeJongh
Enthusiast
Enthusiast

hee Sander,

were you able to take a look at the files that i have uploaded? I updated to TP2 and still have the same issue. My sources show up as an ip while they are resolvable by the appliance

Reply
0 Kudos
sflanders
Commander
Commander

OK, the example images you sent - what is the source? Are the events in valid syslog format? If the source and hostname are the same and are switching the same way then that usually means that the event is not in syslog format and more specifically is missing the hostname field. In that case, Log Insight uses the source as the hostname. As for why the source is changing, I would guess DNS issue. The easiest way to test this is to wait until events are coming in as IP and then confirm you can resolve the IP on the Log Insight virtual appliance. Once successful, restart the Log Insight process. This will clear the DNS cache. Log Insight will then do a lookup for the IP and should display it as an FQDN.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
sflanders
Commander
Commander

Just following up, were you able to get this addressed?

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos