Should be this one: $ActionForwardDefaultTemplate [templateName] - sets a new default template for UDP and plain TCP forwarding action
Source: https://www.rsyslog.com/doc/v8-stable/configuration/action/index.html#omfwd-specific-configuration-statements Best Cyril -- Universität Zürich Cyril Stoll Zentrale Informatik Stampfenbachstrasse 73 CH-8006 Zürich Tel. +41 44 63 5 22 93 www.zi.uzh.ch Von: "John Chivian via rsyslog" <[email protected]> An: [email protected] Kopie: "John Chivian" <[email protected]> Datum: 21/09/2020 20:07 Betreff: Re: [rsyslog] include additional fields in forwarded log Gesendet von: "rsyslog" <[email protected]> The network destination does not use the "file" default template. You need to change the "forwarding" default template. I don't have the exact syntax at hand, but I'm sure the documentation page does. Regards, On 9/21/20 12:49 PM, panda miki via rsyslog wrote: > Hi, Im using ubuntu18, rsyslog v8.x. I have applied custom template > *templ1* and > forwarding all logs to central log server 10.168.0.100 using plain tcp. i > checked traffic on same forwarding client and observed that %fromhost-ip% > is not sent (hostname is seen in sent traffic). how can i include this > fromhost-ip field in forwarded logs to a siem software. this help me to > identify logs source hosts correctly > > $KLogPermitNonKernelFacility on > > $template templ1,"%PRI% %TIMESTAMP% %fromhost-ip% > %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" > $ActionFileDefaultTemplate templ1 > > $RepeatedMsgReduction on > $FileOwner syslog > $FileGroup adm > $FileCreateMode 0640 > $DirCreateMode 0755 > $Umask 0022 > $PrivDropToUser syslog > $PrivDropToGroup syslog > > *.* @@10.168.0.100 > $WorkDirectory /var/spool/rsyslog > $IncludeConfig /etc/rsyslog.d/*.conf > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
