Log messages received commonly have both a source and a hostname field. This article explains the difference between these two fields and their respective meanings.

VMware Aria Operations for Logs
VMware vRealize Log Insight

Messages received via syslog have metadata fields and values associated with them. Two of the fields, source and hostname, provide insight into the origin of the message. Both fields can be used when searching or filtering log messages.

Source Field

The source field contains the IP address or hostname that the message was received from.

If external DNS servers are configured for the appliance, a reverse DNS lookup is performed on the IP address the message is received from. If a PTR record returns a hostname, a DNS query is made for the corresponding A record for the received hostname. If the process succeeds, the source field for the message will contain the hostname retrieved from the external DNS server. Depending on the external DNS server configuration, a bare hostname or FQDN may be returned and stored in the source field.

If a syslog message passes through a relay before being received, the source field will typically contain the address or hostname of the syslog relay.

Hostname Field

The hostname field contains an identifier extracted from the syslog message body. The value of the hostname field is defined by the machine that originally sent the message. The hostname field usually contains the hostname or FQDN of the message originator, but not all syslog message sources are able to provide a hostname. It may also contain an IP address or any other string which the message originator sends, such as localhost. Reverse DNS lookups are not performed on the syslog hostname field.

If a syslog message passes through a relay before being received by Log Insight, the hostname field can be rewritten by the relay to replace content. Configuration of third-party syslog relays is outside the scope of this article.