Sometimes if you send syslog messages from device which don’t follow syslog RFC, you end up with inappropriate source field extracted. This usually happen on network devices like cisco, which have own syslog format.
This simple pipeline rule replaces source field with IP address of sending device. It uses graylog’s internal field gl2_remote_ip which contains IP of sending device. Best way to use this pipeline rule is to put it on pipeline which process only problematic device.
rule "Replace source with sending IP"
when
has_field("message")
then
set_field("source", to_string($message.gl2_remote_ip));
end
Please note that this solution is not recommended if you use load balancer or central log forwarder as all messages would have same ip.