This is a common issue with the syslog sourceytype.
By default it behave differently from the other inputs, the host is extracted from the events.
#inputs.conf
[monitor:///var/log/messages]
sourcetype=syslog
host=myhostname
with the events :
Feb 19 22:06:35 10.21.24.612 INFO I am a fabulous server
The final host will be 10.21.24.612 not myhostname
I want to change the behavior.
The solution is to force the host in the inputs.conf and use another sourcetype than syslog without host extraction
example
# inputs.conf on the forwarder
[monitor:///var/log/messages]
sourcetype=syslog_nohost
host=myhostiwanttoenforce
# props.conf on the indexers
[syslog_nohost]
#based on a copy of syslog version 5.0.2
#TRANSFORMS = syslog-host
#disabling the host extraction
TRANSFORMS =
pulldown_type = true
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False
The solution is to force the host in the inputs.conf and use another sourcetype than syslog without host extraction
example
# inputs.conf on the forwarder
[monitor:///var/log/messages]
sourcetype=syslog_nohost
host=myhostiwanttoenforce
# props.conf on the indexers
[syslog_nohost]
#based on a copy of syslog version 5.0.2
#TRANSFORMS = syslog-host
#disabling the host extraction
TRANSFORMS =
pulldown_type = true
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False