Host field missing on received documents using syslog input

victor.nilsson · January 24, 2019, 11:35am

Hi,

I have the following logstash input:

input {
    udp {
        port => 5514
        tags => "syslog"
        id => "syslog-udp"
    }
    tcp {
        port => 5514
        tags => "syslog"
        id => "syslog-tcp"
        proxy_protocol => true
    }
}

and the following output:

output {
  if "syslog" in [tags] {
      elasticsearch {
                    hosts => ["10.232.0.40:9200", "10.232.0.41:9200"]
                    index => "logstash-%{+YYYY-MM-dd}"
                    user => logstash
                    password => password
                    ssl => true
                    ssl_certificate_verification => true
                    cacert => "/etc/logstash/ssl/root-ca.pem"
                    }
   }

And the configuration is working because i am receiving logs and can view them with kibana, but i cant know which host sent the logs since the Host field is missing from the documents. What am i missing here and can i add the Host field?

Badger · January 24, 2019, 1:55pm

A udp input should add a host field by default. For a tcp input I believe that information is in [@metadata][ip_address], so you would need to mutate+copy it.

system · February 21, 2019, 1:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.