DNS resolution — Legacy
This documentation is for legacy Kiwi Syslog Server versions 9.8.3 and older. See the KSSNG version of DNS resolution for the newest version of the following documentation.
Complete the following steps to specify DNS resolution options.
- Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
- Click DNS Resolution.
-
Specify the following options:
Resolve the address of the sending device This converts the IP address of the sending device into a more meaningful host name. Instead of 203.50.23.4 you will see something like "sales-router.company.com"
The resolved host name is then used in the display and other actions.
The Host name is also used for the "Hostname" type filter.
If you like, the domain name section can be removed from the display by using the Remove the domain name option.
Remove the domain name (show only the host name) If the Resolve the address of the sending device option is also checked, this option will remove the trailing domain name from the resolved host name. In this case, instead of "sales-router.company.com" you will see just "sales-router".
Enabling this option is useful when you only receive messages from a single domain or to reduce the amount of space used by the host name in the scrolling display.
This option also effects the host name field used for all the logging actions.
Resolve IP addresses found within the syslog message text This option is available only in the registered version.
When you are logging data from web servers or firewalls etc, the message text may contain IP addresses. To turn these IP addresses into meaningful names and website addresses you need to enable this option. The program will search through the message text and look for any IP address entries. You can also specify how the resolved name will be displayed. You may replace the IP address with the name or adding the name after the IP address in the message text.
* NetBIOS names can require more time to resolve than normal DNS entries. If you want to resolve NetBIOS names, increase the DNS timeout to 20 or 30 seconds.
Examples:
Test user connected to website http://192.168.1.2/index.html. src=192.168.5.100 rxbytes=64
With replace IP address with host name option, the message becomes...
Test user connected to website http://website.company.com/index.html. src=userpc.company.com rxbytes=64
With place host name next to IP address option, the message becomes...
Test user connected to website http://192.168.1.2 (website.company.com) /index.html. src=192.168.5.100 (userpc.company.com) rxbytes=64
The Remove the domain name option allows the stripping of the domain name portion from the resolved host name.
To selectively keep or remove the domain name based on a filter match, check the If domain name contains check box.
Place the domain name substrings to remove in quotes. To filter multiple domains, separate each quoted string with a space or comma.
".companyabc.com", ".companyxyz.co.uk"
An IP address resolved to mypc.company.co.uk will be changed to just "mypc".
Hostname tagging:
When you have selected the place host name next to IP address option, the hostname is normally tagged with brackets and a space character. The resolved host name can be tagged with any characters you like. For example, you might like to prefix the host name with "hostname=[" and then have a "] " suffix. You can change the prefix and suffix characters to fit the format of your messages.
A suggested tagging format for WELF format messages would be a prefix of resolved_host= and a suffix of a space character.
DNS query timeout This option specifies the time to wait for the DNS server to respond to lookup queries. The default is 8 seconds. You may change this value if you are accessing a slow DNS server, or requests go through a slow network link.
This timeout value should only be increased if you are trying to resolve addresses via NetBOIS (Machine names of computers running Windows). Sometimes NetBOIS names can take up to 20 seconds to resolve via a unicast lookup request.
If your DNS server is local and you are only resolving internal addresses, you can safely reduce your timeout value down to 3 seconds.
If you increase the timeout value too much, you may find that the messages are being queued up waiting for the resolution to finish. In this case, when the queue reaches 1000 entries, messages will be dropped. The message buffer free space can be seen from the main syslog screen.
- Click Apply to save your changes.