SourceIP address shows up incorrectly; shows up as localhost IP

  • 3951877
  • 21-Mar-2008
  • 26-Apr-2012

Environment

Novell Audit
RedHat Enterprise Linux 3

Situation

When making queries to the Novell Audit database, it appears that the SourceIP address is incorrect.
The SourceIP address shows up as 127.0.0.1.
In the Monitor tab, you do not see the IP address of the other remote RHES 3 servers with platform agents installed.
The events are making it to the SLS.
The nproduct.log on both servers show that the remote platform agent has connected.
LAN traces confirm that the remote platform agent is sending the data to the SLS.

Resolution

Red Hat makes a single entry in the /etc/hosts file that has multiple entries. When the platform agent resolves that name, the IP address that it receives from the OS comes from the hosts file. Here is an example of the problem statement in the /etc/hosts file:
127.0.0.1 tblarsen1.provo.novell.com tblarsen1 localhost.localdomain localhost
To fix it, please do the following within the /etc/hosts file:
# 127.0.0.1 tblarsen1.provo.novell.com tblarsen1 localhost.localdomain localhost
127.0.0.1 localhost
10.1.2.3 tblarsen1.provo.novell.com tblarsen1
You may need to stop and start the instrumentation in order for the changes to take effect. If you are receiving erroneous IP addresses from the eDirectory instrumentation, please do the following from a command prompt (make sure you do the command as root):
ndstrace -c "unload auditds"
ndstrace -c "load auditds"
This will stop and start the eDirectory instrumentation on Linux. Please refer to the online documentation on how to restart your intrumentation and/or platform agent for other platforms.

Additional Information

If you are running Novell Audit going to a Sentinel server, please see KB 3827350.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.