<div dir="ltr"><div><div>Hi,<br><br></div>@Bazsi: could you send a PR with the grammar changes?<br><br></div><div><br></div>L.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 24, 2016 at 4:13 PM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Hi,<br><br></div>This patch changes the grammar, so it accepts number tokens as well:<br><br><a href="https://github.com/balabit/syslog-ng/tree/f/java-should-accept-numbers-as-options" target="_blank">https://github.com/balabit/<wbr>syslog-ng/tree/f/java-should-<wbr>accept-numbers-as-options</a><br><br></div><div>testing would be appreciated as this is a "blind" patch, I haven't tried it as I don't personally use elasticsearch/java destinations.<br></div><div><br></div>The memory corruption problem was already raised in a different thread, but I don't know about any exact outcome from those emails, maybe @lbudai does.<br><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="m_-685422349177569363gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote">On Thu, Nov 24, 2016 at 3:06 PM, Peter Eckel <span dir="ltr"><<a href="mailto:lists@eckel-edv.de" target="_blank">lists@eckel-edv.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">OK, I got the first one figured out myself ...<br>
<br>
flush-limit( 1000 )<br>
<br>
does not work.<br>
<br>
flush-limit( "1000" )<br>
<br>
does, which is inconsistent with the usual syslog-ng.conf behaviour. And setting it to "1" actually fixed the slow propagation to ES for me.<br>
<br>
Now I need to see whether the crash still occurs.<br>
<br>
Another question that came up: Is it possible to do flushing based on a time interval and not on a message count in the queue? It's rather unsatisfactory to wait for critical messages to appear in ES.<br>
<br>
Best regards,<br>
<br>
Peter.<br>
<span><br>
> On 24 Nov 2016, at 12:28, Peter Eckel <<a href="mailto:lists@eckel-edv.de" target="_blank">lists@eckel-edv.de</a>> wrote:<br>
><br>
> I'm currently investigating the Syslog NG -> Elasticsearch 2 destination for a project I'm working on, and started using basically the sample configuration in Peter Czanik's blog article. Thanks, by the way, for the great tutorial.<br>
><br>
> There is one thing I'm currently struggling with: On my test system I have a fairly low volume of messages, and there seems to be an issue with flushing the cache of Syslog NG to Elasticsearch. To be precise: It doesn't happen. I can easily force a cache flush by reloading Syslog NG, but if I just keep it sitting there it doesn't log anything at all to Elasticsearch (while logs to files, e.g. /var/log/messages, are happening in real time).<br>
><br>
> I tried configuring the flush-limit() in the elasticsearch2 destination, but the configuration prevents syslog-ng from starting with an error message:<br>
><br>
>> Nov 23 17:30:28 rpm-test syslog-ng[14527]: Error parsing destination, destination plugin flush-limit not found in /etc/syslog-ng/conf.d/elastics<wbr>earch.conf at line 9, column 5:<br>
>> Nov 23 17:30:28 rpm-test syslog-ng[14527]: included from /etc/syslog-ng/syslog-ng.conf line 68, column 1<br>
>> Nov 23 17:30:28 rpm-test syslog-ng[14527]: flush-limit( 1000 )<br>
>> Nov 23 17:30:28 rpm-test syslog-ng[14527]: ^^^^^^^^^^^<br>
>> Nov 23 17:30:28 rpm-test syslog-ng[14527]: syslog-ng documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
>> Nov 23 17:30:28 rpm-test syslog-ng[14527]: mailing list: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
><br>
> If I remove the flush-limit() line, the config loads without a problem.<br>
<br>
</span>[fixed]<br>
<div><div class="m_-685422349177569363h5"><br>
><br>
> After some hours of operation, Syslog NG actually crashed on reload with a memory corruption issue (might be unlelated):<br>
><br>
>> Nov 23 17:50:14 rpm-test<br>
>> systemd[1]: Started System Logger Daemon.<br>
>> Nov 24 11:04:11 rpm-test systemd[1]: Reloaded System Logger Daemon.<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: *** Error in `/usr/sbin/syslog-ng': malloc(): memory corruption (fast): 0x00000000023293df ***<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: ======= Backtrace: =========<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libc.so.6(+0x7b184)[0x7<wbr>f87e29b7184]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libc.so.6(+0x7e877)[0x7<wbr>f87e29ba877]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libc.so.6(__libc_calloc<wbr>+0xb4)[0x7f87e29bc2d4]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libglib-2.0.so.0(g_mall<wbr>oc0+0x17)[0x7f87e39e32c7]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(l<wbr>og_multiplexer_new+0x13)[0x7f8<wbr>7e4529833]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(c<wbr>fg_tree_new_mpx+0x12)[0x7f87e4<wbr>521872]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(+<wbr>0x30136)[0x7f87e4522136]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(+<wbr>0x2fc11)[0x7f87e4521c11]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(+<wbr>0x2fb2b)[0x7f87e4521b2b]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(+<wbr>0x2fc11)[0x7f87e4521c11]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(+<wbr>0x302a9)[0x7f87e45222a9]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(+<wbr>0x2fc11)[0x7f87e4521c11]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(c<wbr>fg_tree_compile_rule+0x35)[0x7<wbr>f87e4522375]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(c<wbr>fg_tree_compile+0x4b)[0x7f87e4<wbr>5224cb]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(c<wbr>fg_tree_start+0x16)[0x7f87e452<wbr>2576]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(c<wbr>fg_init+0x16e)[0x7f87e451d58e]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(+<wbr>0x400de)[0x7f87e45320de]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(+<wbr>0x407d7)[0x7f87e45327d7]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libivykis.so.0(+0x3b4f)<wbr>[0x7f87e2f1cb4f]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libivykis.so.0(+0x5193)<wbr>[0x7f87e2f1e193]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libivykis.so.0(+0x5810)<wbr>[0x7f87e2f1e810]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libivykis.so.0(iv_main+<wbr>0x44)[0x7f87e2f1f7d4]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libsyslog-ng-3.8.so.0(m<wbr>ain_loop_run+0x74)[0x7f87e4532<wbr>734]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /usr/sbin/syslog-ng(main+0x1b8<wbr>)[0x4017b8]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /lib64/libc.so.6(__libc_start_<wbr>main+0xf5)[0x7f87e295db15]<br>
>> Nov 24 11:04:15 rpm-test syslog-ng[31599]: /usr/sbin/syslog-ng[0x4018dd]<br>
<br>
</div></div>[status unknown]<br>
<span class="m_-685422349177569363im m_-685422349177569363HOEnZb"><br>
><br>
> OS Version is CentOS 7.2, Syslog NG 5.8.1 (installed from Peter's repository), Elasticsearch 5.0.1 (installed from Elastic's repo). The machine is a freshly installed system.<br>
<br>
</span><div class="m_-685422349177569363HOEnZb"><div class="m_-685422349177569363h5">______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>