Hello
I have some syslog data collected and forwarded to a custom path:
/var/log/remote/2020//messages/
This data, for most logs got the correct sourcetype = syslog
inputs.conf:
[monitor:///var/log/remote/.../messages]
whitelist=(archive|\_messages\.log|_messages\.log\-)
blacklist=(\.bz2$)
index=nix_os
sourcetype = syslog
disabled = 0
recursive=true
crcSalt=SOURCE1
props.conf
[source::.../var/log/remote/.../messages*]
sourcetype = syslog
I have unfortunately seen an issue where if the file is below a certain size it gets the filename set as the sourcetype
filename:
hostname.env.ext.company.com_messages.log
path to filename:
/var/log/remote/2020/02/env/messages/hostname.env.ext.company.com_messages.log
sourcetype set as:
hostname.env.ext.company.com_messages
Why would the sourcetype get created as the filename?
Thanks for the help!
↧