I was able to get this working after changing monitor stanza to three "///" i.e.
This works:
[monitor:///var/log/splunk/websense-*log]
index = proxy
sourcetype = websense
host_regex = .*\-(.+)\.log
However using a directory continues to fail:
[monitor:///var/log/splunk/websense/*log]
index = proxy
sourcetype = websense
host_regex = .*\/(.+)\.log
So I'm forced to place all the logs into the main directory, I can't move them into their own "sourcetype" subdirectories - not a major issue, however it would be a little neater and help my OCD.... 😉
The main point however, is the host_regex is now working on the "*" wildcard, and hostnames are updating correctly in Splunk
So in /etc/rsyslog.d/splunk.conf, we have the declarations like these, which makes the filtering more dynamic:
template (name="fortigate" type="string" string="/var/log/splunk/fortigate-%HOSTNAME%.log")
template (name="fortiweb" type="string" string="/var/log/splunk/fortiweb-%HOSTNAME%.log")
template (name="fortiwebcef" type="string" string="/var/log/splunk/fortiwebcef-%HOSTNAME%.log")
template (name="mfa" type="string" string="/var/log/splunk/mfa-%HOSTNAME%.log")
if $msg contains "devid=FGT" then { action (type="omfile" dynafile="fortigate") stop }
if $msg contains "device_id=FVVM" then { action (type="omfile" dynafile="fortiweb") stop }
if $programname == "CEF" and $msg contains "FortiWeb" then { action (type="omfile" dynafile="fortiwebcef") stop }
if $programname == "pfsvc" then { action (type="omfile" dynafile="mfa") stop }
Thanks for all posts / answers.
Cheers
... View more