You can map it to lower case, but I am a bit surprised that this is required.

Here's the definition of our elasticsearch-http destination:

https://github.com/syslog-ng/syslog-ng/blob/master/scl/elasticsearch/elastic-http.conf

Note the template () parameter which you can customize to include further mappings. Right now it only maps @timestamp to be the timestamp of the message.

On Wed, May 27, 2020, 22:24 Shawn Taylor <staylor8@ncsu.edu> wrote:

I am running ES/Kibana 6.8.9-1 and am struggling with this issue.

https://discuss.elastic.co/t/message-failed-to-find-message-in-kibana-logs/210522

I have added my index to the Logs Indices field in the Logs configuration.

When I look at the fields in a document I see a field called MESSAGE, but not message.

I do not see a way to add this field in the configuration. Is it possible to have this document display in the Logs UI? Can I convert the fields in syslog-ng to lowercase before forwarding them to elastic?

Thanks,

Shawn

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq