Familiar problem, logs from central rsyslog server show up in Graylog with logserver hostname rather than hostname from syslog message. I had this corrected in a Graylog 2.0.1 appliance, but I cannot get it working on Graylog 2.1.1 installed from packages. The rsyslog server remains the same.
Solved it on 2.0.1 using this template: # Use this when log message is originating from local host $template GRAYLOGRFC5424drfcorp,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME%.drf.corp %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" # Use this when log message is not originating from local host $template GRAYLOGRFC5424fromhost,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %FROMHOST% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" # @ prefix for UDP and @@ prefix for TCP # if not pnjhulogsrv then use FQDN in %FROMHOST% as source in message # graylog 2.0.1 if $hostname != 'pnjhulogsrv' then @@10.232.176.25:514;GRAYLOGRFC5424fromhost # graylog 2.1.1 if $hostname != 'pnjhulogsrv' then @@10.232.88.190:514;GRAYLOGRFC5424fromhost # if pnjhulogsrv then append .drf.corp to %HOSTNAME% as source in message # graylog 2.0.1 if $hostname == 'pnjhulogsrv' then @@10.232.176.25:514;GRAYLOGRFC5424drfcorp # graylog 2.1.1 if $hostname == 'pnjhulogsrv' then @@10.232.88.190:514;GRAYLOGRFC5424drfcorp When I send the same entries to both Graylog servers, 2.0.1 shows the origin hostname as source and 2.1.1 shows the rsyslog server as source? Any suggestions? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/437ed297-7b09-49b4-9ff4-7338e59433dc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
