How does Logstash know the host.hostname field?


I don't find the information and I think it's about ECS. I have a really simple config on logtash that uses syslog input, grok parsing and inject into elastic cluster.

input {
  syslog {
    host => ""
    port => 10514

But the logs that are shown in kibana contains the host.hostname from the remote machine sending logs to logstash (with syslog). How is this done ? How by default, this information about the hostname is known ? What could cause this information not to be gathered by logstash ?
Thank you !

When you receive data from a socket the remote address connected to that socket is available. The code is here.

Ok thank you I can understand why the IP can be known but in here this is the hostname of the machine that is gathered (configure by the command hostnamectl)

The syslog input has a built-in grok pattern configured that will parse your original syslog message, so if the original hostname is present in the syslog message, then it will populate the field host.hostname.

This part of the code tells you which pattern it will use and this is the file with the patterns used.

The value of host.hostname comes from the original message.

Ok I totally get it now ! Many thanks !

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.