'Morning...
I have a v6.5, clustered environment (deployment server), Universal Forwarder on all hosts.
I am getting several Linux systems reporting in with two names, shortname and FQDN. But not all of them are doing this, even members of the same Server Class.
It seems that all the shortnames are only pulling a **sourcetype** of **syslog** or **linux_messages_syslog** and are only **source=/var/log/messages**.
The FQDNs are showing appropriate sourcetypes and sources (all under **/var/log/** -- but NOT messages).
I have a very simple **inputs.conf** being deployed:
[monitor:///var/log]
index = servers
disabled = 0
I confirmed that syslog is not configured on these to also send to my heavy forwarders. They are reporting in to the Forwarder Management interface as one system (mixture of short and FQDN).
I haven't found a lot of mentions of this here -- I guess this is not very common...?
Thoughts?
Thanks!
Michael
↧