The best solution to send dara over the wire between two Syslog-ng instances (e.g. the one getting the logs and the other storing them in elastic) is to use json to encode name-value pairs.
E.g. use format-json with some kind of prefix, and parse the json payload using json-parser() on the other side.
Hi Jacek,
On Tue, Sep 01, 2015 at 10:55:13AM +0200, Jacek Drewniak wrote:
> When I am putting new fields to elasticsearch for example using rewrite,
> they don't appear on kibana. But when I prefix name this fields by
> ".SDATA.meta" - they appear.
Well it depends on where you set these fields. If you do it on the host
with the elasticsearch destination instance, they should appear (provided
you've got the right `message_template`).
However if you set them on the remote host sending the data using RFC5424,
then you need to prepend the STATA bit, otherwise syslog-ng won't send them
over to the elasticsearch writer.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq