Hi,
we facing an issue with replacement of the hostname with real ip of the source server in the logs
The logs are sent by Universal Forwarder.
here is the example:
Orig: "Jul 12 17:26:41 spluf3.com sudo:spladmin : TTY=pts/1 ; PWD=/etc ; USER=root ; COMMAND=/bin/ls -ls"
Target: "Jul 12 17:26:41 172.17.0.3 sudo:spladmin : TTY=pts/1 ; PWD=/etc ; USER=root ; COMMAND=/bin/ls -ls"

the hostname "spluf3.com" should be replaced with the real IP address (172.17.0.3) of the "spluf3.com".

Lookups is not the best variant - there are too much dynamical systems served by DHCP and lot of systems with IP addresses only (DNS lookups gives nothing).
Flow is as follow: UF -> HF -> Indexer
Transformation will be done at HF.

Here are our configs:

inputs.conf ->
[default]
host = spluf3.com

[monitor:///var/log/secure]
disabled=0
sourcetype=syslog

props.conf ->
[source::/var/log/secure]
TRANSFORMS-siem = send_to_qradar

transforms.conf ->
[send_to_qradar]

this will find IP address of the server/host

SOURCE_KEY=_raw
REGEX = server:(\w+)

this should find the hostname in the message source

REGEX = \S+\s\S+\s\S+\s(\S+)
DEST_KEY = _raw
FORMAT=$2=$1

Will it work?
Or do you have any experience with how to replace in the message source hostname $2 with IP address $1?

Thank you in advance for promt answers!
br,
Oleg