Hi,
After setting up a listen on UDP port (514) for syslog using inputs.conf, I tried to change the sourcetype from syslog (set in inputs.conf) to syslog_nf. Thus, i used the first method
props.conf
[source::udp:514]
sourcetype = syslog_nf
this doesn't change anything!
However, when I do:
[syslog]
rename = syslog_nf
the change happens! Does anyone have any idea about this?
Try this.
First define sourcetye in transforms.conf. Something like
[set_sourcetype_syslog_nf]
FORMAT = sourcetype::syslong_nf
DEST_KEY = MetaData:Sourcetype
Note: Check if you need any REGEX.
Then, in props.conf
[source::udp:514]
TRANSFORMS-changesourcetype = set_sourcetype_syslog_nf
But, As somesoni2 commented, i would also suggest to set sourcetypes in inputs.conf
Try this.
First define sourcetye in transforms.conf. Something like
[set_sourcetype_syslog_nf]
FORMAT = sourcetype::syslong_nf
DEST_KEY = MetaData:Sourcetype
Note: Check if you need any REGEX.
Then, in props.conf
[source::udp:514]
TRANSFORMS-changesourcetype = set_sourcetype_syslog_nf
But, As somesoni2 commented, i would also suggest to set sourcetypes in inputs.conf
Try changing the sourcetype directly in inputs.conf. Its simpler than doing the same thing through props.conf.