<p dir="ltr"><br>
The best solution to send dara over the wire between two Syslog-ng instances (e.g. the one getting the logs and the other storing them in elastic) is to use json to encode name-value pairs.</p>
<p dir="ltr">E.g. use format-json with some kind of prefix, and parse the json payload using json-parser() on the other side.</p>
<div class="gmail_quote">On Sep 1, 2015 11:10 AM, "Fabien Wernli" <<a href="mailto:wernli@in2p3.fr">wernli@in2p3.fr</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Jacek,<br>
<br>
On Tue, Sep 01, 2015 at 10:55:13AM +0200, Jacek Drewniak wrote:<br>
> When I am putting new fields to elasticsearch for example using rewrite,<br>
> they don't appear on kibana. But when I prefix name this fields by<br>
> ".SDATA.meta" - they appear.<br>
<br>
Well it depends on where you set these fields. If you do it on the host<br>
with the elasticsearch destination instance, they should appear (provided<br>
you've got the right `message_template`).<br>
However if you set them on the remote host sending the data using RFC5424,<br>
then you need to prepend the STATA bit, otherwise syslog-ng won't send them<br>
over to the elasticsearch writer.<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>