The network destination does not use the "file" default template. You
need to change the "forwarding" default template. I don't have the
exact syntax at hand, but I'm sure the documentation page does.
Regards,
On 9/21/20 12:49 PM, panda miki via rsyslog wrote:
Hi, Im using ubuntu18, rsyslog v8.x. I have applied custom template
*templ1* and
forwarding all logs to central log server 10.168.0.100 using plain tcp. i
checked traffic on same forwarding client and observed that %fromhost-ip%
is not sent (hostname is seen in sent traffic). how can i include this
fromhost-ip field in forwarded logs to a siem software. this help me to
identify logs source hosts correctly
$KLogPermitNonKernelFacility on
$template templ1,"%PRI% %TIMESTAMP% %fromhost-ip%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
$ActionFileDefaultTemplate templ1
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
*.* @@10.168.0.100
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
