<div dir="ltr">I don't get it, I don't have that in my current ES target for syslog. <div><div>destination d_es {</div><div>        elasticsearch2(</div><div>                disk-buffer(</div><div>                reliable(no) #  If set to no, the normal disk-buffer will be used. This provides a faster, option</div><div>                dir("/opt/syslog-ng/buffer")</div><div>                disk-buf-size(10485760)</div><div>                mem-buf-length(100000) # number of messages stored in overflow queue</div><div>                )</div><div>                client-mode("http")</div><div>                index("syslog-ng_${YEAR}.${MONTH}.${DAY}")</div><div>                type("syslog") # Description: The type of the index. For example, type("test")</div><div>                template("$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n")</div><div>                cluster-url("<a href="http://192.168.1.16:9200/">http://192.168.1.16:9200/</a>")</div><div>                concurrent-requests("5") # Number of concurrrent batches</div><div>                flush_limit("5000") # The number of messages in a single batch</div><div>                skip-cluster-health-check("yes")</div><div>                cluster("hal")</div><div>                client_lib_dir("/usr/share/elasticsearch/lib")</div><div>        );</div><div>};</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 12, 2017 at 4:32 AM, Fabien Wernli <span dir="ltr"><<a href="mailto:wernli@in2p3.fr" target="_blank">wernli@in2p3.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Fri, May 12, 2017 at 12:50:16AM -0400, Scot wrote:<br>
> destination d_es_beats {<br>
>         elasticsearch2(<br>
>                 disk-buffer(<br>
[...]<br>
<span class="">>                 index("winlogbeat-${YEAR}.${<wbr>MONTH}.${DAY}")<br>
<br>
</span>just a sidenote here: don't forget to add time-zone(UTC) to your<br>
elasticsearch destination, otherwise you'll have surprises in Kibana<br>
<div class="HOEnZb"><div class="h5"><br>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br></div></div>