How is "_sourceHost" metadata field populated for a Syslog source?

There are three ways "_sourceHost" field populated for a Syslog source:

1. If the Host field is available in Source/Collector configuration and Syslog events are coming from the localhost, the _sourceHost field will be populated.

The Source Host field overrides the Collector Host field. It will only honor these if the Syslog events are coming from the localhost.

2. If hostname or host IP is available in the Syslog event, it will populate the _sourceHost metadata field.

3. Reverse DNS lookup for the server where the Collector is installed will populate the _sourceHost metadata field.