Troubleshooting log collection and visualization in the Log explorer

The results of root cause analysis are incorrect because log events do not get correlated to the correct host in the log records.

Issue symptom

This issue occurs because, in the Log explorer, the name of the originating server is not displayed in the host.name field. 

Issue scope

This issue affects all collection policies of all connector types.

Resolution

The log_source_host field now replaces the host.name field for all connector types. The log_source_field provides information about the data source where the logs originated.

The log_source_host field is automatically added to the log records as part of the log collection policy. For this change to be reflected in the collection policies, update the collection polices:

  1. Go to Collection > Collection Policies.
  2. Click the Action menu for a policy and click Edit.
  3. On the edit policy page, click Save.
    You do not need to perform any other action.
  4. Repeat these steps for all collection policies.

For logs ingested from third-party sources through rest APIs, manually add the information in the log_source_host field in the log records.

Important

Collection policies do not exist for Kubernetes. If you are using Kubernetes, create a new Kubernetes connector. For instructions, see Collecting-Kubernetes-logs.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*