Graylog with NGINX udp proxy, keep source ip


I stumbled across Graylog, and wanted to give it a try.

I setup the server, with a NGINX stream proxy in front of it, everything is working perfect. But all my syslog i receive gets the NGINX-servers ip as the source.

How do i keep the source adress from my (example) ASA firewall instead. I cant seem to fingure it out. My NGINX i very simple as follows:

stream {
server {
listen 514 udp:



If hostname is directly in Syslog message, you can extract it and replace source field with it using pipeline rule. If there is no hostname in syslog, graylog can use address sending logs. Please post your example message, and how do you parse it?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.