Hello,
I am planning a Graylog installation with 4 nodes (2 GL, 2 ES). Primary reason is to distribute load and be able to scale out with additional nodes if load increases.
To distribute inputs (Beats, Syslog, SNMP) to both GL nodes an external load balancer will be used. During my tests I noticed that source field is set with load balancer IP instead of source hosts. With beats its no problem, as filebeat writes its local hostname in another field. But syslog does not and so I do not know who is sending the data.
How do you handle that?