Was wondering if this was possible at all. I am currently facing a situation where I have a legacy NG system with a number of sources integrated. We are working to slowly transition off of this particular instance, but to do this I need to make sure that the messages that are emitted retain their source host.
Unfortunately, when this legacy environment was crafted, the keep_hostname option was set to false, which meant that the engineers focused on source log specific HOST extraction.
As I am working to tee the data off to the new system, I need the data to retain its source hostname. Ideally one would just flip keep_hostname to yes, but there is too much risk right now as it could impact how data is being parsed throughout the system.
My ask is, while keep_hostname is globally disabled, is there a way that I can enable it within a filter or destination?
Doing this with a globally disabled keep-hostname() option is not really possible as the original host information is lost.
When keep-hostname(no) is used, a feature called "store-raw-message" can be enabled which stores the entire incoming message in the $RAWMSG macro. The raw message definitely contains the original hostname, but then it is up to you to extract the host from the whole message.
My ask is, while keep_hostname is globally disabled, is there a way that I can enable it within a filter or destination?
You can achieve something similar the other way around:
Setting keep-hostname() to yes keeps the original host name intact, but you will have 2 different macros:
$HOST contains the original hostname$HOST_FROM contains the "source's" hostnameApplying a rewrite rule which overrides $HOST with $HOST_FROM can be added to paths where you want to retain the old behavior.