Thanks Fabien,

I can't seem to find this configuration option in Kibana. I see the MESSAGE field in the document, but I assume that it's case sensitive and doesn't recognize that field?

Shawn

On Thu, May 28, 2020 at 3:58 AM Fabien Wernli <wernli@in2p3.fr> wrote:
Hi Shawn,

On Wed, May 27, 2020 at 04:24:11PM -0400, Shawn Taylor wrote:
> I am running ES/Kibana 6.8.9-1 and am struggling with this issue.
>
> https://discuss.elastic.co/t/message-failed-to-find-message-in-kibana-logs/210522
>
> I have added my index to the *Logs Indices* field in the Logs configuration.
>
> When I look at the fields in a document I see a field called MESSAGE, but
> not message.
>
> I do not see a way to add this field in the configuration. Is it possible
> to have this document display in the Logs UI? Can I convert the fields in
> syslog-ng to lowercase before forwarding them to elastic?

I don't use the "logs app" in Kibana, so I'm afraid I'm limited in my
ability to help you.
That being said, the thread you mention has been solved by changing the name
of the message column by the user:

   You are right! My problem was that I was changing "message" field to
   "message_log", so really "message" field didn't exist.
   I have changed in Kibana Logs the "Log Columns" to add "message_logs" and it
   works now!

So it seems you can change the name of the columns in kibana, and in your
case, assuming you're using the default syslog-ng config, it should be
MESSAGE.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq



--
Shawn Taylor
Security Applications Technologies
NC State University
1575 Varsity Drive
Raleigh NC 27606
919.515.8507