Using rsyslog server & reporting agent name

I am using a rsyslog server. I have several of my machines forwardring their logs there, then elastic picks them up. I am going through one of the records, and notice that the hostname is rsyslog, but then when I look in the message, I know it is not a log of rsyslog, but from one of the clients it receives from. Also, the log file path has an indicator that this log is not of the rsyslog server, but again, from one of its clients. What is the best way to sort and organize this data?

Are you looking at the "host" field that logstash adds to the data? Because by default it seems to be the hostname of the machine it is running on.

if you want to actually get the hostname from the log itself you will need to grok it.

This site is super handy for building a grok expression

%{SYSLOGBASE} is probably what you'd start with

Another thing you might want to consider is splitting on the rsyslog server, writing different sources to different files so you can differentiate them by the path field.

This won't make your hostname show up right, but its handy for troubleshooting in my experience

Heres a quick dirty example i've used in the past. You'd put it (or probably something similar I make no claims for this things quality I copied and pasted it out of an old machine I have laying around) into your /etc/rsyslog.d/

$template REMOTESPLIT,"/var/log/remote/%fromhost-ip%/syslog.log"

if $fromhost-ip != '' then ?REMOTESPLIT
& ~

That would split them up by ip and put each machines logs into its own folder.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.