Hi Russel,
I can only guess, that I am doing what you are trying to achieve.
Accordingly, I added the "${SOURCEIP}" nv-pair to the "ip_addr" mapping field of elasticsearch.
Please try to set the "template" option of the elastic-http destination as follows:
destination d_elasticsearch {
elasticsearch-http(
url("127.0.0.1:9200/_bulk")
index("alltilla")
type("test")
template("$(format-json --scope rfc5424 --exclude DATE --key ISODATE @timestamp=${ISODATE} ip_addr=${SOURCEIP})")
);
};
I will talk about this change with the team, as because keep-hostname(), chain-hostname() options, and syslog-ng relays add another layer of complexity to this issue.
Please correct me, if I misunderstood something.
Best regards,
Attila
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Russell Fulton <r.fulton@auckland.ac.nz>
Sent: Sunday, September 1, 2019 7:02 AM
To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu>
Subject: [syslog-ng] Elasticscearh-http dest wish list