<div dir="ltr">On My test instance the only thing kibana shows are the "keyword" fields like HOST_FROM.keyword but production has both HOST_FROM and HOST_FROM.keyword. <div><br></div><div>Perhaps from a previous es index or something ? </div><div> </div><div><div>Jan 26 16:54:19 TheBarn Cannot find cache entry for mac 9c:e6:35:f2:cd:93 ret=-1</div><div>Jan 26 16:54:49 TheBarn Cannot find cache entry for mac 9c:e6:35:f2:cd:93 ret=-1</div><div><b>Output format applied </b></div><div>{"SOURCE":"s_net","PROGRAM":"Cannot","PRIORITY":"warning","MESSAGE":"find cache entry for mac 9c:e6:35:f2:cd:93 ret=-1","LEGACY_MSGHDR":"Cannot ","ISODATE":"2017-01-26T16:55:19-05:00","HOST_FROM":"192.168.1.1","HOST":"TheBarn","FACILITY":"user","DATE":"Jan 26 16:55:19"}</div><div>{"SOURCE":"s_net","PROGRAM":"Cannot","PRIORITY":"warning","MESSAGE":"find cache entry for mac 9c:e6:35:f2:cd:93 ret=-1","LEGACY_MSGHDR":"Cannot ","ISODATE":"2017-01-26T16:55:49-05:00","HOST_FROM":"192.168.1.1","HOST":"TheBarn","FACILITY":"user","DATE":"Jan 26 16:55:49"}</div></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 25, 2017 at 1:22 AM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Can you post the format-json output so we can see if the HOST attribute is there?<div dir="auto"><br></div><div dir="auto">debug mode in syslog-ng should show that. Or alternatively you can use the same template to write to a throwaway logfile.</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Jan 25, 2017 5:56 AM, "Scot" <<a href="mailto:scotrn@gmail.com" target="_blank">scotrn@gmail.com</a>> wrote:<br type="attribution"></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><b>E</b>lastic, <b>S</b>yslog-ng <b>K</b>ibana <div><br></div><div>Upgraded to latest of ES Stack, Kibana 5 and syslog-ng 3.9.1</div><div><br></div><div>I had a Kibana dashboard with a bar chart of unique count of systems that had sent a syslog heartbeat. So I could see any missed heartbeats for any host in the last 24 hours. </div><div><br></div><div>Post upgrade of syslog-ng the host_from, host fields do not seem to come into ES as usable fields because they are not indexed. So visualizations "bar charts by unique 'host" is broken. Has anyone seen this? </div><div><br></div><div><br></div><div><div> client-mode("http")</div><div> index("syslog-ng_${YEAR}.${MON<wbr>TH}.${DAY}")</div><div> type("syslog") # Description: The type of the index. For example, type("test")</div><div> template("$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n")</div></div><div><br></div><div><br></div><div><br></div></div>
<br></div></div>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>