remote_syslog plugin, setting the hostname property with the original senders hostname

[Dushan Karawita]

Hi,

I'm trying to use the Fluentd to collect the syslogs/event logs from multiple servers (which are deployed in a cloud environment). The Fluentd acts as a log collector and then sends them into the SIEM tool IBM Qradar.

My problem is when the log reaches the IBM Qradar, it sees the log source as the Fluentd collectors host name. I want to have the original servers host name.

This is how the current log is received by the IBM Qradar from Fluentd. (LOGCOLSRV is the fluentd server, DBMONSRV  is the log source name )

<13>Apr 16 20:44:12 LOGCOLSRV fluentd: host:DBMONSRV    ident:sshd      pid:14178       message:pam_unix(sshd:session): session closed for user testperfmon     client_addr:10.152.112.22

This is how I want IBM Qradar to receive it.

<13>Apr 16 20:44:12 DBMONSRV fluentd: host:DBMONSRV    ident:sshd      pid:14178       message:pam_unix(sshd:session): session closed for user testperfmon     client_addr:10.152.112.22

Following is the configuration file of the Fluentd collector.

<source>

  type syslog

  port 5140

  bind 0.0.0.0

  source_address_key client_addr

  source_hostname_key "hostsource"

  tag  rsyslog

</source>

<match rsyslog.**>

  @type copy

  <store>

      @type remote_syslog

      host 10.152.152.152      

      port 514

      protocol tcp

      enable_ruby true

      hostname "#{Socket.gethostname}"

      packet_size 4096

      program fluentd

      <format>

          @type single_value

          message_key message

      </format>

   </store>

</match>

I tried to use "#{Socket.gethostname}" but still it gives the Fluentd's host name rather than the original log sources host name.

Please help.

Thx in advance.

Dushan

[Ralph H]

This seems like it should be a common enough use case that a plugin should exist for it.

Has anyone considered augmenting the remote_syslog plugin so it can accept the original syslog fields?