Unfortunately I am doing this on host with elasticsearch, that is why I don't know what is wrong. 
Message template?

My server config is: http://pastebin.com/FJzD6n77

-- 
Jacek Drewniak
R&D

emailjacek.drewniak@oort.in

mobile+48 696 151 670

website: www.oort.in




AWARDS

Bluetooth Breakthrough Award Finalist
CES 2015 Envisioneering Innovation & Design Award Winner
Tech Trailblazers Awards Winner
Most exciting company at Bluetooth Media Event in New York 2014
Polish Agency for Enterprise Development Award Winner


2015-09-01 11:10 GMT+02:00 Fabien Wernli <wernli@in2p3.fr>:
Hi Jacek,

On Tue, Sep 01, 2015 at 10:55:13AM +0200, Jacek Drewniak wrote:
> When I am putting new fields to elasticsearch for example using rewrite,
> they don't appear on kibana. But when I prefix name this fields by
> ".SDATA.meta"  - they appear.

Well it depends on where you set these fields. If you do it on the host
with the elasticsearch destination instance, they should appear (provided
you've got the right `message_template`).
However if you set them on the remote host sending the data using RFC5424,
then you need to prepend the STATA bit, otherwise syslog-ng won't send them
over to the elasticsearch writer.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq