Merge pull request #438 from splunk/feature/rdns

Support reverse DNS

docs/configuration.md

@@ -9,6 +9,7 @@ and variables needed to properly configure SC4S for your environment.
 |----------|---------------|-------------|
 | SPLUNK_HEC_URL | url | URL(s) of the Splunk endpoint, can be a single URL space seperated list |
 | SPLUNK_HEC_TOKEN | string | Splunk HTTP Event Collector Token |
+| SC4S_GLOBAL_DNS_USE | yes or no(default) | use reverse DNS to identify hosts when HOST is not valid in the syslog header |
 
 * NOTE:  Do _not_ configure HEC Acknowledgement when deploying the HEC token on the Splunk side; the underlying syslog-ng http
 destination does not support this feature.  Moreover, HEC Ack would significantly degrade performance for streaming data such as

package/Dockerfile

@@ -13,7 +13,7 @@ COPY --from=hairyhenderson/gomplate:v3.5.0 /gomplate /usr/local/bin/gomplate
 
 COPY goss.yaml goss.yaml
 
-COPY etc/syslog-ng.conf /opt/syslog-ng/etc/syslog-ng.conf
+COPY etc/syslog-ng.conf.tmpl /opt/syslog-ng/etc/syslog-ng.conf.tmpl
 COPY etc/conf.d /opt/syslog-ng/etc/conf.d
 COPY etc/go_templates /opt/syslog-ng/etc/go_templates
 COPY etc/context_templates /opt/syslog-ng/etc/context_templates

package/etc/syslog-ng.conf → package/etc/syslog-ng.conf.tmpl

@@ -17,12 +17,12 @@ options {
         flush_lines (100);
         time_reopen (10);
         log_fifo_size (10000);
-        chain_hostnames (off);
-        use_dns (no);
+        chain_hostnames (yes);
+        use_dns ({{getenv "SC4S_GLOBAL_DNS_USE" "no"}});
         use_fqdn (no);
-        dns-cache(no);
+        dns-cache({{getenv "SC4S_GLOBAL_DNS_CACHE" "yes"}});
         create_dirs (no);
-        keep-hostname (yes);
+        keep-hostname (no);
         create_dirs(yes);
         dir_perm(0750);
         stats-freq(30);