Logmanager documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Logmanager documentation
  2. /
  3. Additional information
  4. /
  5. Events processing in blockly
  6. /
  7. Defined XML blocks
  8. /
  9. Special blocks
  10. /
  11. Special elements
  12. /
  13. Modify meta.src

Modify meta.src

This feature allows users to modify fields within the meta.src dictionary during log processing. This is useful for correcting source information that may be inaccurate due to network configurations (such as NAT) or faulty syslog implementations.

Overview

The meta.src dictionary contains source information about incoming logs, including:

  • ip: Source IP address of the device (IP type)
  • host: Hostname of the source device (string)
  • program: Syslog program name (string)
  • severity: Syslog severity level (string)
  • facility: Syslog facility (string)
  • pid: Process ID (string)
  • dialect: Protocol dialect, e.g., syslog, relp (string)
  • transport: Transport information, e.g., UDP/514, TCP/601 (string)

You can modify any of these fields in classifiers, parsers, or alert rules to correct or normalize source metadata.

You can only modify existing fields within meta.src. You cannot add new keys, and the new value must be of the same type as the existing value.

Common Use Cases

Fixing Source IP Due to NAT

When logs pass through a NAT gateway, the original source IP may be replaced with the NAT gateway’s IP. If the original IP is available elsewhere in the log message, you can restore it:

Original log: Connection from internal host 10.0.1.50 via gateway
meta.src.ip shows: 192.168.1.1 (NAT gateway IP)
Desired: meta.src.ip should be 10.0.1.50

Correcting Faulty Syslog Program Names

Some devices send incorrect or inconsistent program names. You can standardize these:

Original: meta.src.program = "app[1234]"
Desired: meta.src.program = "myapp"

Normalizing Hostnames

Standardize hostname formats across different log sources:

Original: meta.src.host = "SERVER01.domain.local"
Desired: meta.src.host = "server01"

How to Modify meta.src Fields

Use the Dictionary set index block in combination with accessing the meta.src dictionary.

Where to Use

You can modify meta.src fields in:

  • Classifiers: Correct source information before the message is routed to a parser
  • Parsers: Adjust source metadata as part of the parsing process
  • Alert rules: Modify source information for alert processing and output

Limitations

  • Existing keys only: You can only modify fields that already exist in meta.src. You cannot add new keys. Only ip is always present by default, other fields depend on the incoming message.
  • Type matching required: The new value must be of the same type as the existing value. For example:
    • meta.src.ip requires an IP type value (use the IP block, not a text string)
  • Cannot delete fields: Deleting fields from meta.src is not supported.
  • Warnings on violations: If you attempt an invalid modification (wrong type, non-existent key), a runtime warning is generated and the modification is ignored.
Fields with @ in the name (like ip@ip) visible in raw message data are type metadata generated automatically during serialization. You cannot set them directly.
gdoc_arrow_left_alt With item Variable get gdoc_arrow_right_alt