Logstash version: 7.12.0
Logstash source: RPM
Running as a service
Plugin installed with Logstash
OpenJDK Runtime Environment (build 1.8.0_282-b08)
Linux aws-logstashd1 3.10.0-1160.21.1.el7.x86_64 #1 SMP Tue Mar 16 18:28:22 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
The syslog input plugin puts the remote syslog sender name or address into the host field. In fact this should go into agent.name according to ECS. The value for host.name (note - NOT host as currently done) should come from the hostname portion of the syslog text.
For example, if I simulate sending the plugin some sample text from the local system:
nc 127.0.0.1 5140
<11>1 2021-05-06T15:34:17+01:00 SERVER1 validuser - - [meta sequenceId="90"] User user1@example.net Login failed - Invalid user/password
The plugin creates:
host: LOCALHOST
message: User user1@example.net Login failed - Invalid user/password
...
Where it should create:
agent.name: LOCALHOST
host.name: SERVER1
message: User user1@example.net Login failed - Invalid user/password
...
Logstash version: 7.12.0 Logstash source: RPM Running as a service Plugin installed with Logstash OpenJDK Runtime Environment (build 1.8.0_282-b08) Linux aws-logstashd1 3.10.0-1160.21.1.el7.x86_64 #1 SMP Tue Mar 16 18:28:22 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
The syslog input plugin puts the remote syslog sender name or address into the host field. In fact this should go into agent.name according to ECS. The value for host.name (note - NOT host as currently done) should come from the hostname portion of the syslog text.
For example, if I simulate sending the plugin some sample text from the local system: nc 127.0.0.1 5140
<11>1 2021-05-06T15:34:17+01:00 SERVER1 validuser - - [meta sequenceId="90"] User user1@example.net Login failed - Invalid user/password The plugin creates: host: LOCALHOST message: User user1@example.net Login failed - Invalid user/password ... Where it should create: agent.name: LOCALHOST host.name: SERVER1 message: User user1@example.net Login failed - Invalid user/password ...