<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><br class=""></div><div class="">This seems to be a problem with how Kibana is looking at the ES. </div><div class=""><br class=""></div><div class=""><b class="">from syslog-ng -F</b> </div><div class=""><div class="">[2016-04-15T10:33:03.019083] org.syslog_ng.elasticsearch_v2.ElasticSearchDestination.createIndexRequest:95 - Outgoing log entry, json='{"PROGRAM":"asa11","PRIORITY":"warning","MESSAGE":"%ASA-4-313005: No matching connection for ICMP error message: icmp src outside:5.135.188.112 dst public:X.X.X.X (type 3, code 3) on outside interface. Original IP payload: udp src X.X.X.X/3306 dst 5.135.188.112/3306.","ISODATE":"2016-04-15T10:33:03-04:00","HOST”:”X.X.X.X","FACILITY":"local5","timestamp":"2016-04-15T10:33:03-04:00"}’;</div><div class=""><br class=""></div><div class="">[2016-04-15T10:33:03.024982] org.syslog_ng.elasticsearch_v2.messageprocessor.ESSingleMessageProcessor.send:42 - Message inserted with id: syslog;</div></div><div class=""><br class=""></div><div class=""><b class="">I can see the files growing in ES. </b></div><div class=""><br class=""></div><div class=""><div class=""><b class="">[root@loghost kibana]# find /var/lib/elasticsearch/ -newer /opt/syslog-ng/etc/syslog-ng.conf</b></div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/index</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/index/_d.cfs</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/index/_<a href="http://d.si" class="">d.si</a></div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/index/_d.cfe</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/index/segments_c</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/translog</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/translog/translog.ckp</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/translog/translog-7.tlog</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/index</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/index/_6n5.cfs</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/index/_<a href="http://6n5.si" class="">6n5.si</a></div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/index/segments_4</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/index/_6n5.cfe</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/translog</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/translog/translog.ckp</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/translog/translog-4.tlog</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/_state</div><div class="">/var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/_state/state-3.st</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><br class=""><div><blockquote type="cite" class=""><div class="">On Apr 14, 2016, at 11:03 AM, Scot Needy <<a href="mailto:scotrn@gmail.com" class="">scotrn@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">[root@loghost etc]# curl <a href="http://localhost:9200/_cat/indices" class="">http://localhost:9200/_cat/indices</a><br class="">yellow open .kibana 1 1 2 0 7.6kb 7.6kb<br class="">yellow open syslog-ng_2016.04.13 5 1 1110 1 383.5kb 383.5kb<br class="">yellow open syslog-ng_2016.04.14 5 1 1 0 11.8kb 11.8kb<br class=""><br class=""><br class=""><blockquote type="cite" class="">On Apr 14, 2016, at 10:47 AM, Fabien Wernli <<a href="mailto:wernli@in2p3.fr" class="">wernli@in2p3.fr</a>> wrote:<br class=""><br class="">On Thu, Apr 14, 2016 at 09:41:42AM -0400, Scot Needy wrote:<br class=""><blockquote type="cite" class="">I think all the TCP port connections are correct it’s just a configuration to get ES to store data. <br class=""></blockquote><br class="">show the contents of the following please:<br class=""><br class=""> wget <a href="http://localhost:9200/_cat/indices" class="">http://localhost:9200/_cat/indices</a><br class=""><br class="">______________________________________________________________________________<br class="">Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" class="">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br class="">Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" class="">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br class="">FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" class="">http://www.balabit.com/wiki/syslog-ng-faq</a><br class=""><br class=""></blockquote><br class=""></div></blockquote></div><br class=""></body></html>