I collect syslog（/var/log/messages） data by Universal Forwarder, not UDP like this.
Sep 3 12:42:16 ip-111-111-111-111 dhclient: bound to 18.104.22.168 -- renewal in 1414 seconds.
And I want to get this host field as FQDN "myhost", but I cannot do this.
Configuration files in indexers as following.
index = mysyslog
host = myhost
TRANSFORMS-t1 = rename_myhost
REGEX = ^.*$
DESTKEY = MetaData:Host
FORMAT = host::myhost
How can I will do this ?
Thank you for your help.
The problem is that while
host=myhost is set in the input phase, data with the
syslog sourcetype will be sent to a transform that rewrites the hostname to whatever comes after the timestamp in each event.
If you change the sourcetype to something other than
syslog this host override will not happen.
@sunrise, @HiroshiSatoh @kristian.kolb Still it is unclear to me what would be correct settings in inputs, props and transforms.conf
is this correct ??
please correct me if i am not getting it right. Thanks for help!
inputs.conf [monitor:///var/log/messages] index = mysyslog disabled = false sourcetype = syslog host = myhost props.conf [syslog] TRANSFORMS-t1 = rename_myhost transforms.conf [rename_myhost] REGEX = ^.*$ DEST_KEY = MetaData:Host FORMAT = host::myhost
The above looks correct, but there is already a
TRANSFORMS = syslog-host defined by default for the
syslog sourcetype, which might occur after your transform, thus rewriting the
host field again based on the contents of the syslog message.