We have a heavy forwarder set up on our log server. It is sending to rsyslog and then forwarding to the indexer.
If I send it directly from the forwarder to the indexer, then I receive the log server as the host field. If I send it through to the rsyslog, then I receive localhost in in the host field.
This is our config on the heavy forwarder:
outputs.conf
[syslog:syslog_group]
server = IndexerIP:514
type = tcp
inputs.conf
[tcp://:9997]
props.conf
[host::*]
TRANSFORMS-sys = syslogrouting
transforms.conf
[syslogrouting]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_group
The indexer is set to receive in syslog format.
... View more