<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi Russel,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I can only guess, that I am doing what you are trying to achieve.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I used this ES documentation as my starting point: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/ip.html">https://www.elastic.co/guide/en/elasticsearch/reference/current/ip.html</a></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Accordingly, I added the "${SOURCEIP}" nv-pair to the "ip_addr" mapping field of elasticsearch.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Please try to set the "template" option of the elastic-http destination as follows:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span>destination d_elasticsearch {<br>
</span>
<div> elasticsearch-http(<br>
</div>
<div> url("127.0.0.1:9200/_bulk")<br>
</div>
<div> index("alltilla")<br>
</div>
<div> type("test")<br>
</div>
<div><span style="color: rgb(200, 38, 19);"> </span><span style="color: rgb(200, 38, 19);"><b>template("$(format-json --scope rfc5424 --exclude DATE --key ISODATE @timestamp=${ISODATE} ip_addr=${SOURCEIP})")</b></span><br>
</div>
<div> );<br>
</div>
<span>};</span><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span>I will talk about this change with the team, as because keep-hostname(), chain-hostname() options, and syslog-ng relays add another layer of complexity to this issue.</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Please correct me, if I misunderstood something.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Best regards,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Attila</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Russell Fulton <r.fulton@auckland.ac.nz><br>
<b>Sent:</b> Sunday, September 1, 2019 7:02 AM<br>
<b>To:</b> syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> [syslog-ng] Elasticscearh-http dest wish list</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
<br>
It would be really nice if nv pairs parsed as IP addresses got pushed to ES with a field mapping of IP rather than text and keyword.<br>
<br>
Russell@fulton.nz<br>
______________________________________________________________________________<br>
Member info: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C42f6d8e328f943c163f508d72e99a1e4%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637029109736260847&sdata=1ky4LVw6%2Fj9DwcTx9iLbUQUrlQaQTVQ9mPBvgAvyqek%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C42f6d8e328f943c163f508d72e99a1e4%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637029109736260847&sdata=1ky4LVw6%2Fj9DwcTx9iLbUQUrlQaQTVQ9mPBvgAvyqek%3D&reserved=0</a><br>
Documentation: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C42f6d8e328f943c163f508d72e99a1e4%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637029109736260847&sdata=iyBAxO1Y%2FHBFYyv4CreO4n3zI6WXr%2FR7mMOEWH1lhZc%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C42f6d8e328f943c163f508d72e99a1e4%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637029109736260847&sdata=iyBAxO1Y%2FHBFYyv4CreO4n3zI6WXr%2FR7mMOEWH1lhZc%3D&reserved=0</a><br>
FAQ: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C42f6d8e328f943c163f508d72e99a1e4%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637029109736260847&sdata=iZeI92QELpbjJsTy7QVCNUO9QFm%2FPcBpJwpJtsf24BE%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C42f6d8e328f943c163f508d72e99a1e4%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637029109736260847&sdata=iZeI92QELpbjJsTy7QVCNUO9QFm%2FPcBpJwpJtsf24BE%3D&reserved=0</a><br>
<br>
</div>
</span></font></div>
</body>
</html>