So syslog-ng does send HOST in its output, so the problem is probably on the es side.

On Jan 26, 2017 23:07, "Scot" <scotrn@gmail.com> wrote:
On My test instance the only thing kibana shows are the "keyword" fields like HOST_FROM.keyword but production has both HOST_FROM and HOST_FROM.keyword.  

Perhaps from a previous es index or something ?  
 
Jan 26 16:54:19 TheBarn Cannot find cache entry for mac 9c:e6:35:f2:cd:93 ret=-1
Jan 26 16:54:49 TheBarn Cannot find cache entry for mac 9c:e6:35:f2:cd:93 ret=-1
Output format applied 
{"SOURCE":"s_net","PROGRAM":"Cannot","PRIORITY":"warning","MESSAGE":"find cache entry for mac 9c:e6:35:f2:cd:93 ret=-1","LEGACY_MSGHDR":"Cannot ","ISODATE":"2017-01-26T16:55:19-05:00","HOST_FROM":"192.168.1.1","HOST":"TheBarn","FACILITY":"user","DATE":"Jan 26 16:55:19"}
{"SOURCE":"s_net","PROGRAM":"Cannot","PRIORITY":"warning","MESSAGE":"find cache entry for mac 9c:e6:35:f2:cd:93 ret=-1","LEGACY_MSGHDR":"Cannot ","ISODATE":"2017-01-26T16:55:49-05:00","HOST_FROM":"192.168.1.1","HOST":"TheBarn","FACILITY":"user","DATE":"Jan 26 16:55:49"}


On Wed, Jan 25, 2017 at 1:22 AM, Scheidler, Balázs <balazs.scheidler@balabit.com> wrote:
Can you post the format-json output so we can see if the HOST attribute is there?

debug mode in syslog-ng should show that. Or alternatively you can use the same template to write to a throwaway logfile.

On Jan 25, 2017 5:56 AM, "Scot" <scotrn@gmail.com> wrote:
Elastic, Syslog-ng Kibana 

Upgraded to latest of ES Stack, Kibana 5 and syslog-ng 3.9.1

I had a Kibana dashboard with a bar chart of unique count of systems that had sent a syslog heartbeat. So I could see any missed heartbeats for any host in the last 24 hours.  

Post upgrade of syslog-ng the host_from, host fields do not seem to come into ES as usable fields because they are not indexed. So visualizations "bar charts by unique 'host" is broken. Has anyone seen this?  


                client-mode("http")
                index("syslog-ng_${YEAR}.${MONTH}.${DAY}")
                type("syslog") # Description: The type of the index. For example, type("test")
                template("$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n")




______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq



______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq




______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq