NXLog User Guide

108.23. Resolver (xm_resolver)

This module provides provides functions for resolving (converting between) IP addresses and names, and between group/user ids and names. The module uses an internal cache in order to minimize the number of DNS lookup queries.

108.23.1. Configuration

The xm_resolver module accepts the following directives in addition to the common module directives.

CacheExpiry: Specifies the time in seconds after entries in the cache are considered invalid and are refreshed by issuing a DNS lookup. The default expiry is 3600 seconds.

CacheLimit: This directive can be used to specify an upper limit on the number of entries in the cache in order to prevent the cache from becoming arbitrary large and potentially exhausting memory. When the number of entries in the cache reaches this value, no more items will be inserted into the cache. The default is 100,000 entries.

108.23.2. Functions

The following functions are exported by xm_resolver.

string gid_to_name(integer gid): Return the group name assigned to the group ID. If gid cannot be looked up, undef is returned.
string gid_to_name(string gid): Return the group name assigned to the string gid on Unix. If gid cannot be looked up, undef is returned.

integer group_get_gid(string groupname): Return the group ID assigned to the group name.

string ipaddr_to_name(unknown ipaddr): Resolve and return the DNS name assigned to the IP address. The ipaddr argument can be either a string or an ip4addr type.

ip4addr name_to_ipaddr(string name): Resolve and return the first IPv4 address assigned to name.

string uid_to_name(integer uid): Return the username corresponding to the user ID. If uid cannot be looked up, undef is returned.
string uid_to_name(string uid): Return the username corresponding to the user ID or SID. This function takes a string which is normally a SID on Windows or an integer UID on Unix. On Windows this function will convert the SID to a string in the format of DOMAIN\USER. If uid cannot be looked up, undef is returned.

integer user_get_gid(string username): Return the user’s group ID (the group ID assigned to username).

integer user_get_uid(string username): Return the user ID assigned to username.

108.23.3. Examples

Example 519. Using Functions Provided by xm_resolver

It is common for devices to send Syslog messages containing the IP address of the device instead of a real hostname. In this example, Syslog messages are parsed and the hostname field of each Syslog header is converted to a hostname if it looks like an IP address.

nxlog.conf


  1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

  <Extension syslog>
    Module      xm_syslog
</Extension>

<Extension _resolver>
    Module      xm_resolver
</Extension>

<Input tcp>
    Module      im_tcp
    Host        0.0.0.0
    Port        1514
    <Exec>
        parse_syslog();
        if $Hostname =~ /^\d+\.\d+\.\d+\.\d+/
        {
            $HostIP = $Hostname;
            $Hostname = ipaddr_to_name($HostIP);
            if not defined $Hostname $Hostname = $HostIP;
        }
    </Exec>
</Input>

<Output file>
    Module      om_file
    File        'tmp/output'
    Exec        to_syslog_bsd();
</Output>

<Route tcp_to_file>
    Path        tcp => file
</Route>

Input Sample

<38>2014-11-11 11:40:27 127.0.0.1 sshd[3436]: Failed none for invalid user asdf from 127.0.0.1 port 51824 ssh2
<38>2014-11-12 12:42:37 127.0.0.1 sshd[3436]: Failed password for invalid user fdsa from 127.0.0.1 port 51824 ssh2

Output Sample

<38>Nov 11 11:40:27 localhost sshd[3436]: Failed none for invalid user asdf from 127.0.0.1 port 51824 ssh2
<38>Nov 12 12:42:37 localhost sshd[3436]: Failed password for invalid user fdsa from 127.0.0.1 port 51824 ssh2