NXLog Convert windows Hostname to Host-IP in the logs

 Hi all,

Recently I have faced an issue where I was sending windows logs to my logs collector, however the logs were sent in below format

Timestamp, System Hostname , Event-ID, etc etc

Since to resolve the hostname to IP address the collector needed access to local DNS server, but there is no local DNS :-P

So there are 2 solutions.

  1. Create local DNS server, and add all the entries of all the hosts and point the logs collector to this local DNS.
  2. Find some work around to be implemented on all the server so it can convert the hostname to its local IP before forwarding it to the logs collector.
After googling for around 4-5 hrs. I wasn't able to find any proper solution, every solution which I was reading were converting IP to hostname. So I started reading the documentations of NXLOG and found a core function which can be used to convert the Hostname to Host IP. 

Lets assume you have already configured the INPUT entity in the NXLOG config file and you know which logs to be collected.
Next you have to add below commands in your config file

<Input eventlog>

#####your event logs collecting code will be here#####

    <Exec>
        parse_syslog();
$HOSTIP = host_ip();
        $Hostname = string($HOSTIP);
    </Exec>
</Input>

Above 5 lines starting from <Exec> to </Exce> will convert the hostname in every logs to the system IP address (non loopback). The final logs will look like this in the collector:

Timestamp, X.X.X.X (IP) , Event-ID, etc etc


Thanks


Comments

Popular posts from this blog

GRANDING UTime Master - IDOR (CVE-2023-45393)

GRANDING UTime Master - Stored XSS (CVE-2023-45391)

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)