I have spotted on https://logstash-beta.wmflabs.org/ a few events from deployment-eventlogging04 that have the host field set to "%{logsource}". Found them while searching for 'EventBus'.
The raw message seems to be:
<12>Dec 8 20:54:40 deployment-eventlogging04 eventlogging-service-eventbus[10 (MainThread) 400 POST /v1/events (10.68.16.127) 7.18ms
Looking at Logstash issue https://github.com/elastic/logstash/issues/2552 , that suggests the syslog-input plugin requires the program name followed by a column. So the message would need to have
eventlogging-service-eventbus:
Pure speculation.
Raw json in logstash:
{ "_index": "logstash-2015.12.08", "_type": "syslog", "_id": "AVGDX-1ha1EjumVdkmeG", "_score": null, "_source": { "message": "<12>Dec 8 20:54:40 deployment-eventlogging04 eventlogging-service-eventbus[10 (MainThread) 400 POST /v1/events (10.68.16.127) 7.18ms", "@version": "1", "@timestamp": "2015-12-08T20:54:40.050Z", "type": "syslog", "host": "%{logsource}", "tags": [ "_grokparsefailure_sysloginput", "syslog", "es", "normalized_message_untrimmed" ], "priority": 0, "severity": 0, "facility": 0, "facility_label": "kernel", "severity_label": "Emergency", "level": "EMERGENCY", "normalized_message": "<12>Dec 8 20:54:40 deployment-eventlogging04 eventlogging-service-eventbus[10 (MainThread) 400 POST /v1/events (10.68.16.127) 7.18ms" }, "sort": [ 1449608080050 ] }