Host field missing on received documents using syslog input


I have the following logstash input:

input {
    udp {
        port => 5514
        tags => "syslog"
        id => "syslog-udp"
    tcp {
        port => 5514
        tags => "syslog"
        id => "syslog-tcp"
        proxy_protocol => true

and the following output:

output {
  if "syslog" in [tags] {
      elasticsearch {
                    hosts => ["", ""]
                    index => "logstash-%{+YYYY-MM-dd}"
                    user => logstash
                    password => password
                    ssl => true
                    ssl_certificate_verification => true
                    cacert => "/etc/logstash/ssl/root-ca.pem"

And the configuration is working because i am receiving logs and can view them with kibana, but i cant know which host sent the logs since the Host field is missing from the documents. What am i missing here and can i add the Host field?

A udp input should add a host field by default. For a tcp input I believe that information is in [@metadata][ip_address], so you would need to mutate+copy it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.