The default behavior of using the hostname from the machine forwarding the logs is almost always what you want. If, however, you are reading logs for a number of hosts, you can extract the hostname from the source using host_regex or host_segment. For instance, say we have the path:
/nfs/logs/webserver1/access.log
To set host to webserver1, you could use:
[monitor:///nfs/logs/*/access.log*] sourcetype=access host_segment=3
You could also use:
[monitor:///nfs/logs/*/access.log*] sourcetype=access host_regex=/(.*?)/access.log
The host_regex variable could also be used to extract the value of the host from the filename. It is also possible to reset the host using a transform, with the caveat that this will occur after parsing, which means any settings in props.conf that rely on matching the host will already have been applied.