remote_syslog plugin, setting the hostname property with the original senders hostname

261 views
Skip to first unread message

Dushan Karawita

unread,
Apr 17, 2021, 11:11:26 AM4/17/21
to Fluentd Google Group
Hi,

I'm trying to use the Fluentd to collect the syslogs/event logs from multiple servers (which are deployed in a cloud environment). The Fluentd acts as a log collector and then sends them into the SIEM tool IBM Qradar.

My problem is when the log reaches the IBM Qradar, it sees the log source as the Fluentd collectors host name. I want to have the original servers host name.

This is how the current log is received by the IBM Qradar from Fluentd. (LOGCOLSRV is the fluentd server, DBMONSRV  is the log source name )

<13>Apr 16 20:44:12 LOGCOLSRV fluentd: host:DBMONSRV    ident:sshd      pid:14178       message:pam_unix(sshd:session): session closed for user testperfmon     client_addr:10.152.112.22

This is how I want IBM Qradar to receive it.

<13>Apr 16 20:44:12 DBMONSRV fluentd: host:DBMONSRV    ident:sshd      pid:14178       message:pam_unix(sshd:session): session closed for user testperfmon     client_addr:10.152.112.22

Following is the configuration file of the Fluentd collector.

<source>
  type syslog
  port 5140
  bind 0.0.0.0
  source_address_key client_addr
  source_hostname_key "hostsource"
  tag  rsyslog
</source>

<match rsyslog.**>
  @type copy
  <store>
      @type remote_syslog
      host 10.152.152.152      
      port 514
      protocol tcp
      enable_ruby true
      hostname "#{Socket.gethostname}"
      packet_size 4096
      program fluentd
      <format>
          @type single_value
          message_key message
      </format>
   </store>
</match>

I tried to use "#{Socket.gethostname}" but still it gives the Fluentd's host name rather than the original log sources host name.

Please help.

Thx in advance.
Dushan

Ralph H

unread,
Nov 8, 2021, 11:46:45 AM11/8/21
to Fluentd Google Group
This seems like it should be a common enough use case that a plugin should exist for it.

Has anyone considered augmenting the remote_syslog plugin so it can accept the original syslog fields?
Reply all
Reply to author
Forward
0 new messages