Hi, Im using ubuntu18, rsyslog v8.x. I have applied custom template *templ1* and forwarding all logs to central log server 10.168.0.100 using plain tcp. i checked traffic on same forwarding client and observed that %fromhost-ip% is not sent (hostname is seen in sent traffic). how can i include this fromhost-ip field in forwarded logs to a siem software. this help me to identify logs source hosts correctly
$KLogPermitNonKernelFacility on $template templ1,"%PRI% %TIMESTAMP% %fromhost-ip% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" $ActionFileDefaultTemplate templ1 $RepeatedMsgReduction on $FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog *.* @@10.168.0.100 $WorkDirectory /var/spool/rsyslog $IncludeConfig /etc/rsyslog.d/*.conf _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
