Hello All
I found a similar question but did not see an answer.
I am forwarding Checkpoint logs that are coming in via tcp://514 and I am trying to forward the data to an HA syslog-ng environment. There is a NetScaler in front two different syslog-ng servers with round robin load balancing happening. I disabled the second syslog-ng host so that all logs get sent to sys-01. I see the following coming in:
Msg: 2020-12-22 18:30 host-blah-blah.xxx.xxx.xxx.com time=1608661800|hostname=logger|product=Firewall|layer_name=xx-stl-private Security|layer_uuid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|match_id=197|parent_rule=0|rule_action=Accept|rule_uid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|action=Accept|conn_direction=Internal|ifdir=inbound|ifname=eth2-01.716|logid=0|loguid={0x00000000,0x00,0x0000000,0xc0000000}|origin=xxx.xxx.xxx.xxx|originsicname=blah_gw-stl-prv|sequencenum=199|time=1608661800|version=5|dst=xxx.xxx.xxx.xxx|log_delay=1608661800|proto=6|s_port=47298|service=7031|src=xxx.xxx.xxx.xxx|
From the previous link that seems to be a bug, but I am going to assume that it is an old bug and should not exist in Splunk version 8.0.6.
Is there a way in the outputs.conf to force a header that has the hostname?
Thanks
ed