Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Syslog Message from - Name or IP?

I am curious why some of my SYSLOG alerts contain the node name and why sometimes these same alerts only contain the IP address of the device. Here is my example

This one came in the node name:
Johnson-10:172.16.4.238
1/7/2006 12:25 AM : PM-4-ERR_DISABLE 50: Jan 7 00:25:03.622 eastern: %PM-4-ERR_DISABLE: link-flap error detected on Fa1/0/35, putting Fa1/0/35 in err-disable state

This is a syslog alert from the same switch without the node name:
172.16.4.238:172.16.4.238
1/6/2006 11:03 PM : PM-4-ERR_DISABLE 49: Jan 6 23:03:15.649 eastern: %PM-4-ERR_DISABLE: link-flap error detected on Fa1/0/36, putting Fa1/0/36 in err-disable state

This is somewhat annoying as our helpdesk staff is trained to use the very useful node names when creating tickets or dispatching techs.

Nothing worse then being a tech and getting paged to drive to 172.16.4.238.

Find more posts tagged with

missing_hostname

syslog

Accepted answers

All comments

vhcato

Do you have multiple IP addresses on the switch? If so, are you specifying which interface to use as the source of syslog messages via the "logging source-interface" command, and is that the same interface IP used to define the device in Orion?

bleearg13

I've seen this occur when the NPM service has been restarted. NPM syslog server has an internal DNS cache. When the service is restarted, the cache is flushed and all messages that come through on any IP for the first time after the restart will show up as an IP rather than a hostname.

aLTeReGo

I only have one IP interface defined on the switch so I should not need to define a logging source as it only has one to choose from. If you look carefully at the examples above, the same switch, with the same IP address is doing the syslog, only in one of them there seems to be an association with the managed node in SolarWinds, and in the other it is missing its association.

I would be interested to know if SolarWinds could explain if the name in the syslog entry is the responsibility of Orion Syslog service to associate, or if the switch hostname is part of the standard Cisco syslog entry. I would be happy to open a case with Cisco if it turns out this is a problem with the switch not forwarding its hostname in the syslog, but something tells me that SolarWinds syslog service is associating IP address to managed node object in Orion and that is what is failing. Thoughts?

Network_Guru

It might also be a problem with the Reverse DNS 'PTR' zone for that IP.
Perhaps the DNS reverse lookup times out sometimes when the Orion server gets too busy?

Most Syslog apps use DNS to lookup the name of IPs in the messages - not sure if Solarwinds does the same?
(I'm still on V7.5.9, so I have not had a chance to play with this yet)

-=Cheers=-
NG

aLTeReGo

I don't believe that DNS reverse lookup is used for Syslog. It seems like the Orion node name is what is used. Can anyone @ SolarWinds confirm/deny?

CCrew

quote:Originally posted by aLTeReGo

I don't believe that DNS reverse lookup is used for Syslog. It seems like the Orion node name is what is used. Can anyone @ SolarWinds confirm/deny?

Appears to with mine, as I get different entries based on whether I have PTR records set correctly.

Ciag

Hi,

I know this is an old post but did you get a definitive answer/solution to this? I upgraded to V10 on Tuesday night. I was lucky enough to be able to truncate the syslog table as a precaution. Now that everything is back up I have loads and loads of syslog messages from devices that we monitor in NPM but do not show the hostname in their syslog messages when viewed in the GUI.

Some devices have messages with the hostnames and the same devices have messages without hostnames.

Lot's of devices do not have any hostname at all in their syslog messages.

All devices I've checked use the same IP in the syslog msg as used to manage them in Orion

Our SQL server & the server running the syslog service are far from being stressed in any way.

If it is rebuilding the a DNS cache wouldn't it have been built by now as it's had 2.5 days since the upgrade? But still the majority of syslog messages do not have hostnames associated with them.

Using the syslog viewer app on the server I can see that every message has an associated hostname but when I search the same messages in the GUI there is no name against it.

Thanks

netwiz2007

I cannot confirm or not confirm, but I believe the syslog utilizes external DNS for resolving the IP's. What I see is that sometimes the message will come in as an IP address and then the second or third message (from same node) will come in as a name. I think I read in a post somewhere that the NPM alert will try send the alert out as quick as possible, sometimes the DNS resolution has not been received in time and therefor the message is sent out with no name.

The method I use to overcome this is to run a query on the database capturing node name and managed IP address of that node, I then did some manipulation of that data and created a /etc/hosts file. It is currently a manual effort and needs to be kept up weekly but it works. Obviously you must ensure that the device has the syslog source interface set to the IP that you are managing the node with.

Ciag

Thanks for your insight, yes the IP addresses used by NPM to manage the nodes and the syslog src int on the nodes are the same.

I was just thinking, regardless of where in the chain the DNS is resolving it doesn't explain why I am seeing a hostname entry for every single syslog message when I view them in the Syslog viewer app on the server. But when I view the same messages in the web GUI there are only IP addresses with no hostnames.