Is it possible to keep the fromhost-ip after RSYSLOG transmits message

xuziheng1002 · September 21, 2017, 8:32am

My Graylog Server is listening udp/514 by rsyslog service.
Rsyslog transmits messages when it receives any messages.
And I do the replace(let ipaddress replace source) as below picture:

The issue is:
the messages’ [gl2_remote_ip] field will replaced to RSYSLOG’s IP by RSYSLOG.

here is the config in my RSYSLOG:

*.* @10.162.102.124:1514;RSYSLOG_SyslogProtocol23Format

How can I do ?

replace the source IP in RSYSLOG?

jan · September 21, 2017, 8:50am

@xuziheng1002

did you have preserved hostname set in rsyslog?

PreserveFQDN on

xuziheng1002 · September 21, 2017, 8:54am

yes I did,but issue is not resolve.

jochen · September 23, 2017, 11:17am

Well, that’s exactly what the gl2_remote_ip is supposed to contain: The IP address of the client from which Graylog received the message.

If the message was received from rsyslog, then gl2_remote_ip will contain the IP address of the rsyslog server.

Using a Syslog UDP or TCP input on the other hand, will try to find the hostname contained in the actual syslog message and fill the source message field with it.

Topic		Replies	Views
Multiple servers forwarding to Graylog Graylog Central (peer support)	5	2452	December 14, 2017
Source coming in as IP address and not resolved DNS name Graylog Central (peer support)	15	7015	April 22, 2019
Source doesn't always show host or IP Graylog Central (peer support)	7	1944	December 6, 2021
I have some questions about default field 'source' Graylog Central (peer support) pipeline-rules	5	4505	April 24, 2017
Is it possible to reformat the source IP of a relayed message? Graylog Central (peer support)	2	2411	June 20, 2017

Is it possible to keep the fromhost-ip after RSYSLOG transmits message

Related topics