<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Thanks Scot! that fixed that particular issue. I will try on the next one now :)<div class=""><br class=""></div><div class="">Russell</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 30 Sep 2016, at 13:18, Scot <<a href="mailto:scotrn@gmail.com" class="">scotrn@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div dir="ltr" class="">Anytime I had this error is was in java library path for the module. <div class=""><br class=""></div><div class="">Try adding client_lib_dir("/opt/elasticsearch/lib") to your <span style="font-size:12.8px" class="">d_elastic destination. </span></div><div class=""><span style="font-size:12.8px" class="">With the right path to es libs. </span></div><div class=""><span style="font-size:12.8px" class=""><br class=""></span></div><div class=""><span style="font-size:12.8px" class=""><br class=""></span></div><div class=""><span style="font-size:12.8px" class=""><br class=""></span></div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Thu, Sep 29, 2016 at 7:56 PM, Russell Fulton <span dir="ltr" class=""><<a href="mailto:r.fulton@auckland.ac.nz" target="_blank" class="">r.fulton@auckland.ac.nz</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi folks<br class="">
<br class="">
I am trying to get some parsed logs into elasticssearch but have ended up with a cryptic error message:<br class="">
<br class="">
Starting syslog-ng<br class="">
/usr/lib/jvm/java-1.7.0-<wbr class="">oracle-1.7.0.91.x86_64/jre/<wbr class="">lib/amd64/server<br class="">
[2016-09-30T12:43:43.649899] Error initializing message pipeline;<br class="">
<br class="">
which almost certainly relates to the ES set up but I have no idea what is actually wrong. The ES logs do not show anything.<br class="">
<br class="">
Config file:<br class="">
@version: 3.8<br class="">
@module mod-java<br class="">
@include "scl.conf"<br class="">
<br class="">
<br class="">
options {<br class="">
use_dns (no);<br class="">
use_fqdn (no);<br class="">
keep_hostname (yes);<br class="">
};<br class="">
<br class="">
<br class="">
source s_loghost {<br class="">
tcp(flags(no-multi-line) port(1514) keep-alive(yes));<br class="">
};<br class="">
<br class="">
destination d_syslog { file("/var/log/syslog.log"); };<br class="">
<br class="">
destination d_elastic {<br class="">
elasticsearch(<br class="">
index("auth_${YEAR}.${MONTH}.$<wbr class="">{DAY}")<br class="">
type("auth")<br class="">
cluster("security")<br class="">
flush-limit("1000")<br class="">
);<br class="">
};<br class="">
<br class="">
parser p_patterns { db-parser( file("/etc/syslog-ng/merged.<wbr class="">xml")); };<br class="">
<br class="">
log {<br class="">
<br class="">
source(s_loghost);<br class="">
parser (p_patterns);<br class="">
destination(d_elastic );<br class="">
<br class="">
};<br class="">
<br class="">
The same configuration with a json file destination works fine.<br class="">
<br class="">
Any hints on what to look at appreciated.<br class="">
<br class="">
The ES instance running on the host is set to data: no and I expect it to ship the data to one of the other nodes which has storage.<br class="">
<br class="">
Russell (who admits to being an ES novice)<br class="">
______________________________<wbr class="">______________________________<wbr class="">__________________<br class="">
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank" class="">https://lists.balabit.hu/<wbr class="">mailman/listinfo/syslog-ng</a><br class="">
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank" class="">http://www.balabit.com/<wbr class="">support/documentation/?<wbr class="">product=syslog-ng</a><br class="">
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank" class="">http://www.balabit.com/wiki/<wbr class="">syslog-ng-faq</a><br class="">
<br class="">
</blockquote></div><br class=""></div>
______________________________________________________________________________<br class="">Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" class="">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br class="">Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" class="">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br class="">FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" class="">http://www.balabit.com/wiki/syslog-ng-faq</a><br class=""><br class=""></div></blockquote></div><br class=""></div></body></html>