Log source with localhost as log source identifier
Sometimes misconfiguration of your log sources server can lead to misunderstanding and configuration disruption in QRadar ingestion. Here an example with localhost hostname instead of the IP of the real hostname.
Sometimes you want to collect log sources in QRadar but logs keep coming with localhost in the syslog header and QRadar assigns localhost as the log source identifier which is a really bad thing. Don't worry, patching this problem is very easy and often comes from the server you want to collect.
Connect to your server and verify the hosts file, located in /etc/hosts for Linux. You will, for sure, find this kind of configuration:
127.0.0.1 localhost myhostname myhostname.comYou simply have to change the order of resolution by moving localhost at the end like that:
127.0.0.1 myhostname myhostname.com localhostWrite the change and observe new logs coming with myhostname in the syslog header in place of localhost before.
You reach the end of this article, huge thanks for reading π«Ά
π¨βπ©βπ§βπ¦ To become a more friendly guru of QRadar, join the community and subscribe to the newsletter.
π€ To become a nicer guru of QRadar, leave a comment, your feedback will always be welcome (when constructive of course).