Logstash Syslog Input - Capture the Connecting Host's IP Address

Hi, Newbie to Logstash here and could use some assistance regarding the Syslog input connector. I currently have the Syslog connector working successfully, but noticed the JSON output has a host.ip element that always shows the IP of the Logstash server rather than the IP of the connecting host that's sending the logs (the source) to the Logstash server. Nowhere in the JSON is the true source IP of the source sending the logs. Is there a way to determine and capture the connecting host's IP address?


That's what [host][ip] is. It is pulled from the peeraddr of the socket.

Are you using a syslog server on the logstash server to forward the messages?

The Logstash server is a separate server currently running on Windows(currently using this to perform some proof-of-concept testing). The syslog source is a separate Linux host that's sending syslog messages to the Windows Logstash server. So what I'm tyring to determine is how to reference the incoming source IP of the Linux host that sending syslog to the Windows Logstash server. I've seen references in the Logstash documentation to [host][ip] and similar, but I can't quit figure out how to actually use it. Every variation I've tried results in Logstash throwing an error during startup.

Do you have any sample output on your events? Or can you share your input config? You might need to inspect your events to see exactly what fields are available on your events. But it would be weird for logstash to be showing a lot of errors if you’re just trying to reference a field that does not exist in the event.

input {
  syslog {
    port => 514
    type => "syslog"

output {
  file {
    path => "/path/to/output/file.log"

Above sample is straight pass through config (no filters ) that could be used to inspect events from logstash perspective. It’s difficult to help you without more information including but not limited to

  • the logstash config you’re using
  • errors you are seeing from logstash

Ok, so I just figured out my issue. As I was testing sending syslog from a Linux machine to a Logstash Windows server with the Syslog input connector running, I kept seeing the Logstash Server IP show up in the output as the host.ip. I couldn't figure out why this was happening becuase the Linux box was a different system with a different IP. As it turns out, the reason was because of the network connectivity between the Linux host and the Logstash server. The Logstash server was running on a bare metal Windows host and the Linux machine was running as a VM in Hyper-V on that same Windows host and was connected using an "Internal" vswitch. So everytime the Linux machine would connect to the Logstash server (also the underlying Hyper-V host), it was doing so through the internal vswitch's NAT IP address, which was that of the Hyper-V host running Logstash! I built the Linux VM months ago and simply forgot about how the underlying network was configured.

Thanks all for your help. I think just asking the question and posting it to this forum helped me sort it out.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.