Enhancement request - management of hostip.sqlite file

[jrehm-mmm]

Related to the use of SC4S_USE_NAME_CACHE=yes

After an old DNS Entry was deleted from our DNS service I noticed that I was still getting events indexed in splunk with hostnames that are not resolvable from the sc4s_container. I verified that tcpdump showed the correct DNSName and the message itself did not have a hostname in it.

After deleting the hostip.sqlite file the issue was resolved.

Would appreciate the following so we can automate updates or cleansing of this file without having to disable it, restart the container, exec into the container to delete the file, reenable it, and then restart the service.

1. A method to delete the file entirely on shutdown. - Perhaps a flag like SC4S_NAME_CACHE_CLEAR=yes|no to have it delete the file on every startup?

2. Potentially a method to validate the contents of the file against nslookup and give warnings if the content of the file do not match what is returned from DNS.

3. Documentation on this file, it's location, it's contents, how to manually delete it and, direction on how to manipuate it.

[jrehm-mmm]

Showing his next level thinking, Ryan F was thinking:

1) "I was thinking the "feature" would be to have a special syslog event that would have the "ip" to delete to delete just one"._ and 2) "a host/ip pair to add one to the cache"

3. What about a time tracker when the entry was added and the ability to send a command to delete everything with a timestmp older than x?

4. Toss in a delete them all command and you can toss my original ideas out the window (asside from documenation of course :)

These This would allow us to update the cache on the fly without having to restart the container.

[rjha-splunk]

We have implemented following fix for now :

To clear hostip.sqlite file, set SC4S_CLEAR_NAME_CACHE=yes flag in env_file. This action will automatically delete the hostip.sqlite file when sc4s restarts.