Syslog alerts display ip address as "hostname" for Cisco equipment

Probably not DNS...

This is probably because the interface/ip address that is sending the syslog message is not the same interface/ip address of the node that was discovered in orion. If you change the ip address of the node in orion to the ip address that is sending the messages, the hostname will fill in correctly.

Devices that send syslog messages usually have many ip addresses. Unfortunately orion only knows about 1 of them, the one it discoverd the device with.

Actually, I believe this is a DNS issue.  If I am not mistaken, the syslog server does a reverse lookup on the source ip in the syslog message.  If it is able to resolve the ip to a name through DNS then it puts this in the hostname field in the syslog table.  If the reverse DNS lookup is unsuccessful then it puts the ip address in the hostname field.  Configuring reverse DNS entries for any ip addresses sending syslog messages to the syslog server should clear up your issue. 

I think sedmo is correct.  When a syslog message comes in NPM will try to resolve the source IP Address using the methods available (Hosts file, DNS query, LMHosts, NetBios query), if it does not succeed for any of them, it will keep showing the IP Address for the Hostname.  Make sure your DNS has setup PTR records so it can do reverse lookup and find a name for the IP address.

I definitely think it is a DNS issue. Have you tried creating an A host record for it in the DNS server?

So I am not sure if this is completely a DNS issue. We have PTR enabled. When I have the device pointing at Orion, the syslog shows the proper DNS name. When I have the device pointing at Kiwi Syslogs... I get an IP address. Any advice?

I had the same problem. I created a hosts file on my NPM server (it was faster then having the DNS folks create the entry) and the hostname field started displaying the name instead of the ipaddress.

But the strange part is we already have these nodes setup in DNS fine and it works great. Like I said, we point it at Orion NPM syslog and the hostname shows. We purchased the Kiwi syslog, and all i see are wonderful IP address.. but alas I wish to see proper hostname that is in DNS.

By the way we are using HP procurve edge switches... 3500, 5406/12 etc..

Have you verified that Kiwi Syslog is configured to do DNS resolutions?

Thanks for the reply Sedmo,

We have both our dns server listed and we have the "resolve internal address using DNS" checked off. We also have the correct range in the ranges section.

So it turns out there is this fancy section in the setup that states "replace IP address with hostname". checked it off and now i am laughing. So chocke this up to a long work week... thanks everyone for the help!