Glad you found a solution! That will at least put your site name in. If you are using Beats or nxlgog, you can have the those sidecar configurations add in the host name - here is an example tfor a beats configuration that captures messages from Windows IIS and inserts the hostname as a field before the message is ssent to Graylog The line that does this: test_hostname: ${sidecar.nodeName}
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["${user.BeatsInput}"]
path:
data: C:\Program Files\Graylog\sidecar\cache\winfilebeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows, iis
filebeat:
inputs:
- type: log
enabled: true
# include_lines: ['example', 'Turf', 'stuff'] #Commented out... for now
exclude_lines: ['^#'] # --exclude anything that starts with #
fields:
test_hostname: ${sidecar.nodeName}
ignore_older: 7h
paths:
- R:\data\logs\iis\W3SVC2\*.log
You could also do it further down the path the message takes on at the satellite office. Attach a pipeline on the stream associated with the local input(s) and use the source field to create a new and separate field to be picked up later - in simplest form the rule in the pipeline would look like this:
rule "the One True Source"
when
true
then
set_field("true_source", $message.source);
end
Also - Mark your note as the solution for future searchers! 