Hello all.
I am trying to capture **BOTH** IP address info **AND** hostname in my logs. This data needs to be part of the actual logged data, not an added lookup field.
I have found this line in the inputs.conf file:
[default]
connection_host =
By messing around with this, I was able to get this default section to work:
[default]
host = localhost
connection_host = ip
By adding the "localhost", the forwarder is forced to use the connection_host line for the "host" field.
Now my search results show an IP address for the "host" field in my searches.
The problem is, I need both IP info AND hostname data, and I would really like the hostname to be in the "host" field, and put the IP address in a custom field (I assume "_meta:IP_ADDRESS::myip)
My reason for this need:
We will be working with several different groups of computers, and there will most likely be hostname or ip address overlaps.
Also, the security team likes to be able to trace activity back via IP address, as not all devices log DNS names of network activity (firewalls/switches). With so many internal networks, we have no insight to their DNS for lookups anyways. IP is much easier.
I need to have my log contain the fields:
ip_address =
host =
Currently, I can only get my "host" to be **EITHER** ip **or** hostname. I have no way to populate ip_address with data.
This is a continuation of this post from last year: https://answers.splunk.com/answers/271921/how-to-keep-ip-source-info-from-the-originating-un.html
↧