I have an rsyslog server aggregating syslog streams from switches and firewalls. The rsyslog server writes log files to disk by source IP address. I'm attempting to read these log files using an installed universal forwarder, and tag them with their host names. For example:
[monitor:///data/logs/10.1.1.1.log]
disabled = false
host = fw1
index = firewalls
[monitor:///data/logs/10.1.2.1.log]
disabled = false
host = fw2
index = firewalls
These logs are sent to the indexers, and then searched using the dedicated search head. Manually assigning the "host" name is working for some, but not all log files. Is there something I might be missing?
↧