Graylog, Name Match


I have Graylog working … sort of :smile:. It’s working with some machines. I’m sure the issue is name match - between LibreNMS and Graylog. Where the name is an exact match, all is good. But if one side uses FQDN, the other not … then no transfer of logs. And even worse, some machines report, for example, a source like “wap-livingroom–c” => not matching the machine name, or FQDN either. Is there a way to tell LibreNMS to get the logs for a particular source (name)?


I cannot offer a concise answer to your exact problem. But I can offer some general suggestions regarding hostnames/DNS/etc. to make your life easier in the long run. Not just for the graylog integration, but for LibreNMS in general.

  1. Have a functional and complete DNS setup, and maintain it. Religiously.
  2. Do not use IPadresses in configs wherever and whenever you can avoid it
  3. Decide if you want to refer to hosts with FQDN or bare hostnames, and stick to that everywhere you can. Some prefer bare hostnames, it may cause challenges some places. Which strategy yields the least amount of challenges in total is unclear and depends on many factors. If the hosts you manage belongs to more than one DNS domain, you should go with FQDN.
  4. syslog can be configured in a myriad of ways, check the documentation for your brand of gear to make sure it reports the hostname in your preferred way.
  5. SNMP sysName by convention defaults to FQDN. (If sysName is not specificly set.) You may be able to configure a SNMP sysName different from hostname, depending on the SNMP implementation in your device.
  6. LLDP by convention (or spec?) reports FQDN. Some vendors report a bare hostname. Some changed their default along the way. (Juniper…) Some report nothing at all. A minor fix to match hosts in LibreNMS w/o a FQDN with a LLDP neighbor with a FQDN is about to enter the codebase shortly.
  7. Remember to the set config[‘mydomain’]. (If only one DNS domain…)

First off, thanks for the pointers! What you say makes sense, and I have been sticking with naming pretty consistently. Unfortunately syslog on the various sources isn’t near as consistent, and I think that’s the underlying issue. Sometimes it’s FQDN, others it’s just the hostname … and yet others, it’s a modified hostname (those are a real mess). Hence the desire to be able to override for Graylog (for a device), say what source to match to.

Make sense?

Thanks again.

You have applied the final part of, I presume?
Are there any common denominators among the hosts causing issues for you? OS, brand, devicetype…

Yes - exactly! This is how I got it set up and running (sort of at least … LOL). My problem (and why I asked about a custom field to match in Graylog) - as you note, there is an OS dependence here,

  1. pfSense (BSD) - uses FQDN
  2. Ubuntu - seems to only use / store based on hostname
  3. ASUS (Wi-Fi router) - uses hostname, with --c appended to it (yep, others have confirmed this too :frowning:)
  4. macOS - even more odd here … some entries with hostname, others with FQDN

So as you can see, very much a client / OS dependence. Ignoring 4) (variable output), at least 3) is not really modifable … it’s firmware, and controlled by the vendor. That’s why I thought it may be handy to have the ability to set this in LibreNMS.

Make sense?