I have setup a Graylog instance (4.2.8) on an Azure Virtual Machine.
It works fine, I used to run another instance locally for several months.
The issue I have is that every device that send syslogs to Graylog has its gl2_remote_ip as the WAN IP address and not the LAN IP address.
This is an issue since in some cases I have multiple devices behind the same router and I can’t differentiate them.
My question is, is there another hidden field that would allow me to know the LAN IP address of the device? I’ve checked on the fields sent by the devices and none of the have the source IP.
What Input are you using to receive the syslog? In some cases the Syslog inputs will break things out differently than the raw inputs will. I think the gl2_remote_ip is generated by Graylog by what it sees coming at the Input so you would either have to have the IP embedded in the syslog or perhaps create a DNS lookup table and translate from the source field… assuming the source field was hostname.
All first reaction conjecture since I have not had this particular issue.
I had a similar issue using Syslog UDP and had to either switch o GELF UDP or create new fields.
I have a couple question on your environment network.
If you do have multiple DMZ’s and with different network/s for each, how are they routed to your Graylog server( i.e. ACL’s. Port forward, etc…)?
Normally when a a device is in another network you should have a source IP address or at lest FQDN when those messages arrive at Graylog. This would depend on how your shipping those logs. I personally used Nxlog and applied a configuration to show FQDN for the host.
Exec $Hostname = hostname_fqdn();
In the message packet it should have the IP Address from where it came from. Data packets usually have a source and destination header.
Can you give us a mockup of the message without IP Address?
What log shipper are you using? and how did you configure it?
Have you tried using a different INPUT beside Syslog UDP?
Try a different input - I have seen other posts where community members have said they are missing information in the Syslog input. Either GELF or maybe RAW, see if the correct sending IP comes in then…