I have a problem where I can not find syslog messages for certain hosts based on the "host" field. e.g. the search host="h1" returns no results for my system with the hostname h1. If I search for simply "h1", I can find the results I want. But I notice then that the "host" field is showing the IP address of h1, rather than h1 as it should. Through experimentation, I have found that this happens for any host where the host name is 2 characters or less. Any host name that is at least 3 characters long works.
Looking at the transforms.conf file, I think I see the likely causes in the following regular expressions:
[syslog-host] DEST_KEY = MetaData:Host
REGEX =
:\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)*[?(\w[\w.-]{2,})]?\s
FORMAT = host::$1
[syslog-host-full] DEST_KEY =
MetaData:Host REGEX =
^[^:]\d\d:\d\d:\d\d[^:]?\s((\d+.\d+.\d+.\d+)|(\w[\w.-]{2,})(?=\s+[^\s:]+:))
FORMAT = host::$1
In both cases, the "{2,}" seems to force a 3 character or greater host name before these expressions will match. This seems like an arbitrary limit. Could these be changed to "{1,}" or even "{0,}" to allow 2 or 1 character hostnames?
... View more