Hi Guys,
need help. I have setup of graylog its working fine for logs from rsyslog on linux but for aix machine I am using syslog as forwarder and problem which Iam facing is source is coming as message instead of server name.
Timestamp source
2019-03-27 14:46:01.000 Message
how do fix this ?
Br,
Gurpreet
fix your sending source …
what type of software did you use on the AIX machines?
Hi Jan,
I am using syslog forwarder on aix side. This is the entry in syslog.con - *.debug @141.247.233.209
again, what Software did you use?
rsyslog, syslog-ng?
You need to configure that software to follow one of the two possible syslog standards. What is RFC5424 or RFC3164 - when that is configured correctly you will have your issues removed.
yes, Jan its configured I am using default syslog in aix. messages are getting forwarded but its say on graylog as message forwrded from instead of just server name for linux its working fine
I hope I am not able to explain your properly. Actually the problem is I am getting the messages from my aix machine but in source field I am getting "message forwarded from "
As mentioned in the below document.
https://rsa.jiveon.com/docs/DOC-48972
My objective is to receive in sources just not message forwarded from 
but the document gives you a solution already:
When start syslogd daemon on AIX, don’t use -n flag.
No Jan If I use -n flag it will suppress all the message i.e Message forwarded from instead I am seeing source name as syslogd. My concern is to remove phrase message forwarded from … I still need source to give me hostname in the source field so that I can run my queries successfully.
if you forward you message to a RAW input in Graylog - how does that look like?
btw. you have seen that this is not bad behaviour of Graylog and we fix the shitty stuff others send right … just to make it clear.
@jan agree its not fault. I appreciate your help but I am new to graylog just wondering if I can have meanigful hostname in source field … I know it has to do with AIX syslog instead of graylog
in the end you can fix anything in Graylog - but it will put some load on the system. So you should have clean messages if possible. And having the source following standards is the minimal I can think of.
I personal would create a RAW input and check how messages are ingested into that and use the processing pipeline to normalize and split the messages to my needs and wishes.
