We have logs that comes from a log aggregator, so they are coming from a single source. We are sending the logs to file destination, which our SEIM is monitoring the root of the folder to detect the new files. Our current default config is as below,
source s_net {
tcp(ip(0.0.0.0) port(514) );
udp(ip(0.0.0.0) port(514) );
template t_msgdefault {
template("${ISODATE} ${HOST} ${MSGHDR}${MSG}\n");
template_escape(no);
};
destination syslogfile {
file(
"/data01/rsyslog/${HOST}/${HOST}.log"
template(t_msgdefault)
create_dirs(yes)
);
};
log { source(s_net); destination(syslogfile); };
This current configuration defines the log aggregator as the host. What we need is the host to be determined from inside the log. Below is a example of raw log from the aggregator that was determined by tcpdump. (some vital info was changed)
1 2022-03-22T04:26:32.951Z serverName.domain.com Vpxa - - [6D47B70] [Originator@6876 sub=Alarm opID=SWI-41a7] [VpxaAlarm] VM with vmid = 584 not found
I see there is already a timestamp and the server name. Can someone assist with determining how to do this?
Thanks in advance.