https://community.splunk.com/t5/Getting-Data-In/Host-name-not-showing-correctly/m-p/306123#M57748 <P>Hi hartfoml,<BR /> receiving syslog and using a standard syslog parsing, usually hostname is read from the same log, is there the old hostname in your logs?<BR /> Bye.<BR /> Giuseppe</P> Fri, 13 Oct 2017 14:19:59 GMT gcusello 2017-10-13T14:19:59Z https://community.splunk.com/t5/Getting-Data-In/Host-name-not-showing-correctly/m-p/306120#M57745 <P>I have several VM servers from an image. The host names have been changed but somewhere the old host name is populating the messages file. when I monitor the messages file on all the hosts they all have the same host name for that source</P> <P><CODE>OCT 13 08:02:29 OLDHOST fprintd ** Message: No device in use, exit</CODE></P> <P>Splunk sees this log as process fprintd coming from source "/var/log/messages" from host "OLDHOST" I have set the server.conf and the inputs.conf to the new host name but it is still pulling from the log file.</P> <P>Any help would be great</P> Fri, 13 Oct 2017 08:19:11 GMT https://community.splunk.com/t5/Getting-Data-In/Host-name-not-showing-correctly/m-p/306120#M57745 hartfoml 2017-10-13T08:19:11Z https://community.splunk.com/t5/Getting-Data-In/Host-name-not-showing-correctly/m-p/306121#M57746 <P>Hi hartfoml,<BR /> sorry for the stupid question: did you restarted Forwarder?</P> <P>After restart check your Forwarder's configuration using btool:</P> <PRE><CODE>./splunk cmd btool server list --debug &gt; server.txt ./splunk cmd btool inputs list --debug &gt; inputs.txt </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 13 Oct 2017 08:28:47 GMT https://community.splunk.com/t5/Getting-Data-In/Host-name-not-showing-correctly/m-p/306121#M57746 gcusello 2017-10-13T08:28:47Z https://community.splunk.com/t5/Getting-Data-In/Host-name-not-showing-correctly/m-p/306122#M57747 <P>Ya, no, not a stupid question at all. I appreceate the responce. I did restart the client and I did use the btool to look for posable presedences of renaming the host = oldhostname. I don't know where this is comeing from or why splunk is pulling from the log file. maybe I will try changeing the source for the logs. Maybe becasue it is source = syslog it is pu;lling the host name from the log file.</P> Fri, 13 Oct 2017 14:01:52 GMT https://community.splunk.com/t5/Getting-Data-In/Host-name-not-showing-correctly/m-p/306122#M57747 hartfoml 2017-10-13T14:01:52Z https://community.splunk.com/t5/Getting-Data-In/Host-name-not-showing-correctly/m-p/306123#M57748 <P>Hi hartfoml,<BR /> receiving syslog and using a standard syslog parsing, usually hostname is read from the same log, is there the old hostname in your logs?<BR /> Bye.<BR /> Giuseppe</P> Fri, 13 Oct 2017 14:19:59 GMT https://community.splunk.com/t5/Getting-Data-In/Host-name-not-showing-correctly/m-p/306123#M57748 gcusello 2017-10-13T14:19:59Z https://community.splunk.com/t5/Getting-Data-In/Host-name-not-showing-correctly/m-p/306124#M57749 <P>Hi @cusello thanks for the info. I am useing a monitor stanza to watch the "var/log/..." folder All the other files in the folder are source=syslog. the only file I am haveing prolems with is the messages file. As I stated above with the log example the OldHostName is in the "messages" file and even though I put the [default] host = "NewHostName" in both the server.conf and the [monitor://] stanza in the inputs.conf. the other logs in the "/var/log/..." have the right host name tag on the logs just the messages have the oldhostname in the logs and is useing the oldhostname as the host tag. </P> <P>this is very unusual.</P> Sat, 14 Oct 2017 06:26:12 GMT https://community.splunk.com/t5/Getting-Data-In/Host-name-not-showing-correctly/m-p/306124#M57749 hartfoml 2017-10-14T06:26:12Z