Syslog node names?

Are the Cisco? If they are Cisco devices, make sure you have enabled origin-id logging for syslog messages. The command is:

logging origin-id { hostname | ip | ipv6 | string user-defined-id }

"hostname" specifies that the hostname will be used as the message origin identifier and "ip" specifies that the IP address of the sending interface will be used as the message origin identifier.

Some are Cisco, some aren't. For the Cisco ones, I don't seem to have the "logging origin-id" option. I do have "logging device-id hostname" which doesn't seem to have affected the name of the node in LEM. Any ideas?

Cisco docs says the command has been supported from 12.2(15)T release train onwards. Is your device an ASA? ASA command reference states that "logging device-id hostname" would set the hostname of the device as the device id to be sent in syslog messages.

Hi,

is there a way to change it on LEM itself other than from the source device.

No, the LEM gets the node names from what it sees in the logs and those aren't customizable in the LEM interface.

Maybe there should be a feature like Kiwi Sylogs where i can input a Host file to translate IP addresses to hostnames.

It's unfortunate that LEM doesn't include some way of changing IP addresses to human readable node names. Donthomas provided a way of fixing this from a Cisco device running 12.2 or later, but what if I have older devices? What if I have non-Cisco devices? There should be some way to manually map IP addresses to names.

In my experience, most vendors provide a way to change the source name of log messages, like Cisco.  Those are usually available from the various vendor admin guides.  If you have devices older than IOS 12.2, then you have other problems: why are you worrying about logging and auditing with a version of IOS that has so many known vulnerabilities instead of addressing the vulnerabilities?

I agree with @curtisi. A Cisco device with an IOS older than 12.2 would be the bigger issue - that is vulnerabilities galore.

For your requirements, LEM depends on the syslog device to provide the name and does not have a customizable name option. But I think a similar request is open for voting:

Do check and add your vote.

Hello, Solarwinds has a database for Syslog. In this DB there are a HOSTNAME_UNICODE column which is used to show Syslog Hostname under Syslog web page.

Is uses DNS to fill this column, and if DNS does not work it fills it with IP address, but it's not regularly updated.

We changed hostnames of our devices but Syslog kept showing old ones. No DNS is configured.

I found a couples ways to fix this.

You can:

1) Update Syslog.Hostname_UNICODE field to match Node.Caption or Node.Sysname using SQL update statement.

Or

2) Using Syslog Viewer application from your Solarwinds server you can define which columns to show on the syslog web page, and you may replace Source Hostname (from Syslog.Hostname) with Node Name (From Nodes.Caption).