was is the exact definition of the fields “source” and “sourceip”?
I’ve noticed a slight difference for some machines… apparently some devices (e.g. citrix netscaler) won’t include an ip address for the field “source” in the syslog header and instead return the value “0”.
unfortunately the field “source” is used for the “sources overview” (the tab between Dashboards and System).
The source field contains the client host name where the message originated (or any other arbitrary string), depending on the input.
The sourceip field is a custom field and may contain arbitrary content, depending on how you process the received messages (i. e. which extractors you’re using).