How to maintain the log source host using logstash

graylogloggingrsyslogsyslog

I am following the steps in this blog to set up rsyslog + logstash + graylog2 and I can't figure out how to replace the @source_host attribute in logstash using the mutate -> replace filter.

In the exmaple the author replaces his @source_host with a string value but I'd like to use the actual value that is parsed from in this case a syslog.

mutate {
  type => loc1
  replace => ["@source_host", "loc1"]
}
mutate {
  type => loc2
 replace => ["@source_host", "loc2"]
}

How do I actually maintain the original source host in my logs?

Best Answer

if the field has already been matched to the record, and is available then you might be able to do this;

mutate {
    type => loc2
    replace => [ "@source_host","%{this_field}" ]
}

(though I have not tried replacing out the @source_host field before, but give it a try and let us know how it went... ;-)

the blog?

Related Topic