udp/syslog inputs report wrong host

[RomanGz]

Looking @ ngrep, events come from the right source, but they end up being whatever random host in the index.

This only happens on multiline inputs. These are not standard formatted syslog messages. Prefixed stack traces. Happens on udp & syslog inputs. Currently running syslog, as udp crashes per https://github.com/elastic/logstash/issues/5318

syslog {
    port => 9119
    type => "error_log"
    codec => multiline {
       patterns_dir => "/etc/logstash/pattern.d"
       pattern => "^<%{NONNEGINT:prifacil}>(%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})\s"
       negate => true
       what => previous
    }

[RomanGz]

I guess it's more than just wrong host names. The lines beyond the firs match pattern get scrambled around & mixed with other events.

I put syslog-ng in front of in and have it write out to individual host log files, then have logstash read them in as a workaround for now.