Log viewer shows wrong host for all syslog entries

All of our servers send to a central rsyslog server.

I followed the instructions like these to (re)forward syslog entries to telegraf

and setup [input.syslog] for telegraf running on the syslog server.

All the syslog entries are now viewable in the log viewer, but “Host” is always showing the name of our syslog server and not the server that actually wrote the syslog entry.

If you note on the image I have uploaded, all the entries say the host is “RDRE1-PLMON01” (which is the syslogserver) and not the name of the host the alert came from.

This leads me to believe that [input.syslog] is really designed for every server to send only its own syslog entries to its own telegraf instance. Either way, this seems like a bug to me. Telegraf should be using column 4 of the syslog entry as the host, and not just taking the hostname of the host that is streaming the data to it.

Has anyone else use a centralized syslog server and used it as the single source of data for [input.syslog]?

Thanks!

The host that generated the log message is saved in the hostname tag.

To give you some background, in Telegraf the host tag is used to indicate what host Telegraf is running on, not the source of the metrics. In the future, we are planning to use a tag called source to hold the hostname which the metrics are about, but this plan is still early and not added to very many plugins yet.

Hi Daniel!

I did see the “hostname” in the fields (in the preferences/cog icon). I swapped the hostname with host, but the hostname field does not seem to show up as a column at all in the viewer.

Thanks!