All of our servers send to a central rsyslog server.
I followed the instructions like these to (re)forward syslog entries to telegraf
and setup [input.syslog] for telegraf running on the syslog server.
All the syslog entries are now viewable in the log viewer, but “Host” is always showing the name of our syslog server and not the server that actually wrote the syslog entry.
If you note on the image I have uploaded, all the entries say the host is “RDRE1-PLMON01” (which is the syslogserver) and not the name of the host the alert came from.
This leads me to believe that [input.syslog] is really designed for every server to send only its own syslog entries to its own telegraf instance. Either way, this seems like a bug to me. Telegraf should be using column 4 of the syslog entry as the host, and not just taking the hostname of the host that is streaming the data to it.
Has anyone else use a centralized syslog server and used it as the single source of data for [input.syslog]?