Hi, I already have a syslog receiver (rsyslogd) that receives ALL syslog messages from our environment. I configured it to forward everything to 127.0.0.1 UDP port 515. Then I added a UDP Network data input in Splunk of port 515 of type syslog.
However, every event in Splunk has timestamp localhost prepended to it like so:
Sep 6 14:00:32 localhost Sep 6 14:00:32 uskyarpts08s0.mydomain.com vsftpd[4174]: warning: can't get client address: Connection reset by peer
Is there any way to make it so the original syslog host (uskyarpts08s0) is preserved as the actual source host and the localhost is not prepended?
... View more