Hi Terry, as far as I know, there's hasn't been any change in the syslog parsing code between Graylog 2.0.x and 2.1.x.
Please re-check your configuration and provide some sample messages (ideally captured with tcpdump or Wireshark), so that we can reproduce your problem. Cheers, Jochen On Friday, 30 September 2016 20:57:30 UTC+2, Terry Lee wrote: > > > Familiar problem, logs from central rsyslog server show up in Graylog with > logserver hostname rather than hostname from syslog message. I had this > corrected in a Graylog 2.0.1 appliance, but I cannot get it working on > Graylog 2.1.1 installed from packages. The rsyslog server remains the > same. > > Solved it on 2.0.1 using this template: > > # Use this when log message is originating from local host > $template GRAYLOGRFC5424drfcorp,"<%PRI%>%PROTOCOL-VERSION% > %TIMESTAMP:::date-rfc3339% %HOSTNAME%.drf.corp %APP-NAME% %PROCID% %MSGID% > %STRUCTURED-DATA% %msg%\n" > > # Use this when log message is not originating from local host > $template GRAYLOGRFC5424fromhost,"<%PRI%>%PROTOCOL-VERSION% > %TIMESTAMP:::date-rfc3339% %FROMHOST% %APP-NAME% %PROCID% %MSGID% > %STRUCTURED-DATA% %msg%\n" > # @ prefix for UDP and @@ prefix for TCP > > > # if not pnjhulogsrv then use FQDN in %FROMHOST% as source in message > # graylog 2.0.1 > if $hostname != 'pnjhulogsrv' then > @@10.232.176.25:514;GRAYLOGRFC5424fromhost > # graylog 2.1.1 > if $hostname != 'pnjhulogsrv' then > @@10.232.88.190:514;GRAYLOGRFC5424fromhost > > # if pnjhulogsrv then append .drf.corp to %HOSTNAME% as source in message > # graylog 2.0.1 > if $hostname == 'pnjhulogsrv' then > @@10.232.176.25:514;GRAYLOGRFC5424drfcorp > # graylog 2.1.1 > if $hostname == 'pnjhulogsrv' then > @@10.232.88.190:514;GRAYLOGRFC5424drfcorp > > > When I send the same entries to both Graylog servers, 2.0.1 shows the > origin hostname as source and 2.1.1 shows the rsyslog server as source? > > Any suggestions? > > > > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/34329d95-9828-4a53-9542-a5ef246aace7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
