Check your hosts /etc/nsswitch.conf file and verify the line for "hosts: files dns" does exist and has files before dns. Then edit /etc/hosts and add a single line for the IP followed by the hostname you want it to show aas the source in graylog. If your host's resolver finds a match in /etc/hosts, it won't query DNS.
I use this trick on the rsyslog host that I have planted in front of our graylog cluster, and it does the resolving at that point. As I do it there, I don't do it on the graylog server. I am assuming that graylog will use a similar process. On Thu, Feb 18, 2016 at 11:25 AM, Dennis Seaton < [email protected]> wrote: > On our DNS server one of my machines has two A records, and two > corresponding PTR records. > > ie: > server1 = 10.10.10.1 > server001 = 10.10.10.1 > > This causes Graylog to treat this server as two different sources, it > splits all input from that collector 50/50, some log entries show as source > "server1" some show source "server001". Apparently these double entries > are required for one of our apps. > > Without making any DNS changes, is there a way I can tell Graylog that > anything gl2_remote_ip=10.10.10.1 should show as source "server1" ? Is > there some kind of "hosts file" I can use to override DNS lookups? > > > Thanks in advance, > Dennis > > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/420e6e5a-76bf-4468-8ec0-325259a257e7%40googlegroups.com > <https://groups.google.com/d/msgid/graylog2/420e6e5a-76bf-4468-8ec0-325259a257e7%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- No matter what we think of Linux versus FreeBSD, etc., the one thing I really like about Linux is that it has Microsoft worried. Anything that kicks a monopoly in the pants has got to be good for something. - Chris Johnson -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAL5rfGUGE63TG3ALZuV7DUoSg7MUBwTZ%3D9Sh0wu6bOqWSe%3Deug%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
