<div dir="ltr">Hi,<div><br></div><div>3.7.2 does not work with ES 2.2 (due to some internal API change between ES2.1 and 2.2).</div><div><br></div><div>Maybe a different issue, but you could take a look at:</div><div><a href="https://github.com/balabit/syslog-ng/issues/967">https://github.com/balabit/syslog-ng/issues/967</a></div><div><br></div><div>and another related github issue you can follow:</div><div><a href="https://github.com/balabit/syslog-ng/issues/970">https://github.com/balabit/syslog-ng/issues/970</a><br></div><div><br></div><div><br></div><div>regards,</div><div>Laszlo Budai</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 4, 2016 at 12:38 PM, Mike Lewis <span dir="ltr"><<a href="mailto:MLewis@nephilaadvisors.co.uk" target="_blank">MLewis@nephilaadvisors.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal">Hi,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I’m having some issues trying to setup (syslog-ng v3.7.2) an elastic search destination. ES 2.2.0.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">In my syslog-ng.conf file, I have the destination defined as:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Courier New"">destination d_elasticsearch {<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Courier New""> elasticsearch(<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Courier New""> index("syslog-ng_${YEAR}.${MONTH}.${DAY}")<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Courier New""> type("syslog-ng")<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Courier New""> class-path("/usr/lib64/syslog-ng/java-modules/*.jar:/usr/lib/syslog-ng-java-module-dependency-jars/jars/*.jar:/usr/share/elasticsearch/lib/*.jar:/usr/share/elasticsearch/modules/*.jar")<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Courier New""><u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Courier New""> client_mode("transport")<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Courier New""> server("172.16.100.137")<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Courier New""> port("9300")<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Courier New""> cluster("dev-elasticsearch")<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Courier New""><u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Courier New""> template("$(format-json -s all-nv-pairs -p @timestamp=$ISODATE -p @message=$MSG)")<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Courier New""> );<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Courier New""> };<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">However, in the elastic search logs, I just see an exception through on each connection attempt:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New""><u></u> <u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">[2016-03-04 06:33:00,737][WARN ][transport.netty ] [node-1] exception caught on transport layer [[id: 0xe12086b7, /<a href="http://172.16.100.137:52583" target="_blank">172.16.100.137:52583</a> => /172.16.100.137:9300]],
closing connection<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New"">java.lang.IllegalStateException: Message not fully read (request) for requestId [0], action [cluster/state], readerIndex [34] vs expected [49]; resetting<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Courier New""> at org.elasticsearch.transport.netty.MessageChannelHandler.messageReceived(MessageChannelHandler.java:120)<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Has anyone come across this issues previously?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Regards,<u></u><u></u></p>
<p class="MsoNormal">Mike Lewis<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<br>
--------------------------------------------------------------------------------------------------------------------------
<br>
This email has been sent to you on behalf of Nephila Advisors LLC (“Advisors”). Advisors provides consultancy services to Nephila Capital Ltd. (“Capital”), an investment advisor managed and carrying on business in Bermuda. Advisors and its employees do not
act as agents for Capital or the funds it advises and do not have the authority to bind Capital or such funds to any transaction or agreement.
<br>
<br>
The information in this e-mail, and any attachment therein, is confidential and for use by the addressee only. Any use, disclosure, reproduction, modification or distribution of the contents of this e-mail, or any part thereof, other than by the intended recipient,
is strictly prohibited. If you are not the intended recipient, please return the e-mail to the sender and delete it from your computer. This email is for information purposes only, nothing contained herein constitutes an offer to sell or buy securities, as
such an offer may only be made from a properly authorized offering document. Although Nephila attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result
of viruses. <br>
--------------------------------------------------------------------------------------------------------------------------
<br>
<br>
--------------------------------------------------------------------------------------------------------------------------
<br>
This email has been sent to you on behalf of Nephila Advisors UK (“Advisors UK”). Advisors UK provides consultancy services to Nephila Capital Ltd. (“Capital”), an investment advisor managed and carrying on business in Bermuda. Advisors UK and its employees
do not act as agents for Capital or the funds it advises and do not have the authority to bind Capital or such funds to any transaction or agreement.
<br>
<br>
The information in this e-mail, and any attachment therein, is confidential and for use by the addressee only. Any use, disclosure, reproduction, modification or distribution of the contents of this e-mail, or any part thereof, other than by the intended recipient,
is strictly prohibited. If you are not the intended recipient, please return the e-mail to the sender and delete it from your computer. This email is for information purposes only, nothing contained herein constitutes an offer to sell or buy securities, as
such an offer may only be made from a properly authorized offering document. Although Nephila attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result
of viruses. <br>
--------------------------------------------------------------------------------------------------------------------------
<br>
</div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>