You cannot index both types of messages to the same elasticsearch index. The structures are incompatible. In one [host] is a string
"host": "xxx.xxx.xxx.xxx",
and in the other it is an object
"host": {
"name": "ip-xx-xx-xx-xx"
},
Whichever one gets indexed first will cause all the messages of the other format to get mapping exceptions.
You could mutate+rename [host] if ![host][name]