Log messages received by VMware vRealize Log Insight commonly have both a source and a hostname field. This article explains the difference between these two fields and their respective meanings.
Every message received by VMware vRealize Log Insight via syslog can have metadata fields and values associated with it. Two of these fields, source and hostname, provide insight into the origin of the message. Both fields can be used when searching or filtering log messages.
The source field contains the hostname or IP address that Log Insight received the message from. If DNS servers are configured, Log Insight will attempt to perform a Reverse DNS lookup on each IP address a message is received from. If a reverse DNS mapping returns a hostname, Log Insight will then query to find the corresponding A record for the received hostname.
If the process succeeds, the source field for the message will contain that name. Depending on the external DNS server configuration, a bare hostname or FQDN may be returned and stored in the source field.
If a syslog message passes through a relay before being received by Log Insight, the source field will typically contain the address or name of the syslog relay.
The hostname field contains an identifier extracted from the syslog message body. The value of the hostname field is defined by the machine that originally sent the message. The hostname field usually contains the hostname or FQDN of the message originator, but not all syslog message sources are able to provide a hostname. It may also contain an IP address or any other string which the message originator sends, such as localhost
. Log Insight does not perform reverse DNS lookups on the hostname field.
If a syslog message passes through a relay before being received by Log Insight, the hostname field can be rewritten by the relay to replace content. Configuration of third-party syslog relays is outside the scope of this article.