Hi,
I need to process a syslog feed, but only keep certain hosts, and throw the rest away.
I first setup the feed to process syslog and set the host to the incoming device, and everything looks ok.
However, once I add the piece to parse the syslog, the naming of the host reverts back to the name of the server where the forwarder is running (running a heavy forwarder). I'm not sure why that is happening. Here are my props.conf and transforms.conf:
props.conf:
[euc_syslogdata]
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
TIME_FORMAT = %b %d %H:%M:%S
NO_BINARY_CHECK = 1
TRANSFORMs = syslog-host,setnull,setparsing
transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = [vc-]
DEST_KEY = queue
FORMAT = indexQueue
[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)*[?(\w[\w.-]{2,})]?\s
FORMAT = host::$1
