An out of the box Windows DNS Connector deployment does not capture the deviceHostName of the server which you are reading from. We can fix this with a couple of tweaks:
1) Ensure the DNS server IP address exists in the folder structure. When configuring and sharing the DNS logs, set up the file share as follows:
\WindowsServer\deviceIP\anotherfolder\
The folder structure doesn't matter too much as long as the deviceIP exists. An example would be
\\windowshostname\1.1.1.1\logs\
2) in the agent.properties configuration, ensure the following is set:
agents[1].foldertable[0].extractfieldnames=deviceHostName
agents[1].foldertable[0].extractregex=/opt/mnt/(.*)/dns.log
agents[1].foldertable[0].extractsource=File Path
agents[1].foldertable[0].fixedlinelength=-1
agents[1].foldertable[0].fixedlinelengthcontains=Fixed Number Of Characters
agents[1].foldertable[0].folder=\WindowsServer\(.*)\anotherfolder\dns.log
agents[1].foldertable[0].followexternalrotation=true
This tells the Connector to extract the deviceHostName from the File Path. The RegEx string will extract the deviceIP (in this case 1.1.1.1) and add it to the event data.
No comments:
Post a Comment