• Administrators receive "Inactive host" email notifications for hosts that do not exist or have invalid names.
• Affected hostnames in the alerts contain only partial words or fragments (e.g., "fai", "comma", "statu").
• Searching Explore Logs for the valid hostname shows that logs are being ingested correctly without gaps.
• The malformed hostnames do not appear in the Management > Hosts interface but trigger alerts based on inactivity thresholds (typically 2 days).

Aria Operations for Logs 8.18.x

This issue is caused by Syslog Metadata Corruption. A specific host in the environment sends corrupted syslog packets—often due to a hardware failure such as a failing hard drive or file system corruption.

Aria Operations for Logs extracts the content of the "Host" field from the syslog header. When this data is corrupted, the system interprets the fragments as new, unique host identities. Once the corrupted stream stops or the fragments change, the system triggers an "Inactive Host" alert for those temporary, malformed identities

Step 1: Identify and Remediate the Source

1. Navigate to Explore Logs in the Aria Operations for Logs UI.
2. Search for the malformed hostname string found in the alert.
3. Check the source field or the metadata of the returned logs to identify the actual IP address or FQDN of the reporting device.
4. Investigate the identified host for hardware issues (specifically disk health) or OS-level syslog service corruption.
5. Reboot the source host or repair the hardware to stop the transmission of corrupted syslog data.

Step 2: Clear Malformed Hostnames from the Database

To immediately stop alerts for these false identities, you must clear the host ingestion table. Follow the steps in Multiple Inactive ESXi Host Email Alerts Triggered by Aria Operations for Logs Cluster