This option allows us to split the network feed by the originating host.

The host can be identified by either IP address or DNS hostname. Confirm this selection using the ‘Settings’ panel located at the top of the dashboard.

Log Receiver requirement: To receive events over UDP:514 from various devices on the network and split by ‘Host IP address'.

Using the Log Receiver dashboard, we have created;

  • a Rule called Syslog Server
  • a Source called syslog_UDP
  • a Destination called syslog_UDP_dest
  • a Destination Filename called syslog_UDP.log

We have enabled the 'Host' option from the Log File Splitting selector to create separate sub-directories containing events from different devices.

If a syslog message came from the host 10.1.1.12, it would create the following file in the following location;

/opt/sbox/data/syslog_UDP/10.1.1.12/syslog_UDP.log

Note: We have chosen to split by IP address(default), not DNS name