You receive false "Inactive host" notifications even though log collection is active. In a common scenario, you have an inactive host notification setup to send alerts if logs stop after 2 days. When you receive the alert, you can log into Aria Operations for Logs, navigate to Explore Logs and the last received events for the hostname show as being within the last 5 minutes.

Upon exploring the logs, you see that logs were collecting prior to the time the alert says they stopped. One specific observation is that the source list intermittently displays the hostname with a -rez suffix appended to the name, while the text of the log lists the hostname correctly.

Log Evidence Summary

Technical investigation of the runtime.log confirms the following evidence of host identity confusion:

• Source Identification: Metadata queries show that hostnames with the -rez suffix are recognized as valid sources during the ingestion process.
• Active Status: Log entries confirm that these -rez identities are actively sending data, with "last received events" timestamps occurring within the previous 5 minutes.
• Identity Conflict: Because the application relies on reverse DNS lookups, the presence of the unrecognized -rez alias creates a "split identity" for the single IP address.
• Alert Trigger: Since Aria Operations for Logs only tracks the primary hostname, the system interprets the arriving logs under the alias as belonging to a different identity, incorrectly triggering the inactivity alert for the primary host.

Symptoms and observations include:

• Aria Operations for Logs sends an email alert stating a host is inactive.
• The Log Explorer confirms no gaps in log ingestion for the affected IP address.
• The "Source" column in Log Explorer shows a -rez suffix.
• The host with -rez does not appear in the Management > Hosts interface.

• Aria Operations for Logs 8.18.5
• Infoblox DNS

The issue is caused by a "split identity" situation where Aria Operations for Logs sees alternating host identities for the same IP address.

The application requires a strict 1:1 mapping for DNS resolution to maintain a consistent host identity. In this scenario, the DNS environment (Infoblox) contains a primary hostname and a secondary -rez alias mapped to the same IP. The DNS server exhibits "round-robin" behavior, alternating the PTR (reverse DNS) record between the primary hostname and the alias. When the application performs a reverse lookup and receives the unrecognized -rez alias, it interprets the primary managed identity as inactive.

Follow these steps to align the infrastructure with the required 1:1 DNS mapping:

1. Verify DNS Configuration: Perform an nslookup on the affected IP address to confirm if multiple hostnames (primary and -rez) are returned or if the response alternates.
2. Configure DNS Consistency: Adjust the Infoblox/DNS configuration so that reverse DNS (PTR) queries for these specific IPs consistently return only the primary hostname instead of the -rez alias.
3. Implement Traffic Filtering: If your auditing requirements allow, ensure that logs or metadata containing rez names are filtered before being passed to the application to prevent identity confusion.

Aria Operations for Logs relies on consistent PTR record responses to correctly track host status when the IP address is used for the source.