Hi, Newbie to Logstash here and could use some assistance regarding the Syslog input connector. I currently have the Syslog connector working successfully, but noticed the JSON output has a host.ip element that always shows the IP of the Logstash server rather than the IP of the connecting host that's sending the logs (the source) to the Logstash server. Nowhere in the JSON is the true source IP of the source sending the logs. Is there a way to determine and capture the connecting host's IP address?
The Logstash server is a separate server currently running on Windows(currently using this to perform some proof-of-concept testing). The syslog source is a separate Linux host that's sending syslog messages to the Windows Logstash server. So what I'm tyring to determine is how to reference the incoming source IP of the Linux host that sending syslog to the Windows Logstash server. I've seen references in the Logstash documentation to [host][ip] and similar, but I can't quit figure out how to actually use it. Every variation I've tried results in Logstash throwing an error during startup.
Do you have any sample output on your events? Or can you share your input config? You might need to inspect your events to see exactly what fields are available on your events. But it would be weird for logstash to be showing a lot of errors if you’re just trying to reference a field that does not exist in the event.
Above sample is straight pass through config (no filters ) that could be used to inspect events from logstash perspective. It’s difficult to help you without more information including but not limited to
Ok, so I just figured out my issue. As I was testing sending syslog from a Linux machine to a Logstash Windows server with the Syslog input connector running, I kept seeing the Logstash Server IP show up in the output as the host.ip. I couldn't figure out why this was happening becuase the Linux box was a different system with a different IP. As it turns out, the reason was because of the network connectivity between the Linux host and the Logstash server. The Logstash server was running on a bare metal Windows host and the Linux machine was running as a VM in Hyper-V on that same Windows host and was connected using an "Internal" vswitch. So everytime the Linux machine would connect to the Logstash server (also the underlying Hyper-V host), it was doing so through the internal vswitch's NAT IP address, which was that of the Hyper-V host running Logstash! I built the Linux VM months ago and simply forgot about how the underlying network was configured.
Thanks all for your help. I think just asking the question and posting it to this forum helped me sort it out.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.