<div dir="ltr"><div><div><div>Hi,<br></div><br>I worked a bit more on this: <a href="https://www.balabit.com/blog/collecting-syslog-ng-statistics-to-graphite/">https://www.balabit.com/blog/collecting-syslog-ng-statistics-to-graphite/</a> Probably not the nicest solution, but it works :)<br><br></div>Sending to Elasticsearch is pretty similar. I chose the Graphite way, as for Elasticsearch / Kibana one also needs to configure mapping, so values are stored as numbers instead of strings. I still need to get more familiar with mapping... (on my ToDo list).<br><br></div>Bye,<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Peter Czanik (CzP) <<a href="mailto:peter.czanik@balabit.com" target="_blank">peter.czanik@balabit.com</a>><br>Balabit / syslog-ng upstream<br><a href="https://www.balabit.com/blog/author/peterczanik/" target="_blank">https://www.balabit.com/blog/author/peterczanik/</a><br><a href="https://twitter.com/PCzanik" target="_blank">https://twitter.com/PCzanik</a></div></div></div></div>
<br><div class="gmail_quote">On Tue, Oct 17, 2017 at 5:42 PM, Czanik, Péter <span dir="ltr"><<a href="mailto:peter.czanik@balabit.com" target="_blank">peter.czanik@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi,<br></div><br></div>If you work with syslog-ng-ctl you can give "jo" ( JSON output: <a href="https://github.com/jpmens/jo" target="_blank">https://github.com/jpmens/jo</a> ) a try. I only did some basic tests, but it seems to me that it can turn the output of "syslog-ng-ctl query" into JSON.<br><br></div>Bye,<br></div><div class="gmail_extra"><br clear="all"><div><div class="m_-6893494746386807038gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Peter Czanik (CzP) <<a href="mailto:peter.czanik@balabit.com" target="_blank">peter.czanik@balabit.com</a>><br>Balabit / syslog-ng upstream<br><a href="https://www.balabit.com/blog/author/peterczanik/" target="_blank">https://www.balabit.com/blog/<wbr>author/peterczanik/</a><br><a href="https://twitter.com/PCzanik" target="_blank">https://twitter.com/PCzanik</a></div></div></div></div><div><div class="h5">
<br><div class="gmail_quote">On Tue, Oct 17, 2017 at 5:20 PM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Difficult, the whole problem is naming of the name value pairs. <div dir="auto"><br></div><div dir="auto">The idea behind stats is to generate all name value pairs in one message, and this simply does not scale. You are almost certainly interested in a set of values or an aggregate of a set, and not everything.</div><div dir="auto"><br></div><div dir="auto">Just set stats-level() to 3, and look at the stats message.</div><div dir="auto"><br></div><div dir="auto">I am not saying its impossible, just that it requires some thought.</div></div><div class="m_-6893494746386807038HOEnZb"><div class="m_-6893494746386807038h5"><div class="gmail_extra"><br><div class="gmail_quote">On Oct 17, 2017 17:09, "Scot" <<a href="mailto:scotrn@gmail.com" target="_blank">scotrn@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">How about an output modifier ? </div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 17, 2017 at 11:02 AM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi,<br><br></div>the issue with the internal stats() message is that if you have a lot of counters that message is truncated. Also, it is pretty difficult to parse.<br><br></div>So I would vote for the "poll syslog-ng-ctl and generate messages" solution. <br></div><div><br></div><div>BTW: the internal PE team did something in this area, they created some sort of internal source that does this polling, but I am not sure how that works. Possibly there's documentation :)</div><span class="m_-6893494746386807038m_-2246681816570163581m_-8420517622888457776HOEnZb"><font color="#888888"><div><br></div></font></span></div><div class="gmail_extra"><span class="m_-6893494746386807038m_-2246681816570163581m_-8420517622888457776HOEnZb"><font color="#888888"><br clear="all"><div><div class="m_-6893494746386807038m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div></font></span><div><div class="m_-6893494746386807038m_-2246681816570163581m_-8420517622888457776h5">
<br><div class="gmail_quote">On Tue, Oct 17, 2017 at 4:37 PM, Scot <span dir="ltr"><<a href="mailto:scotrn@gmail.com" target="_blank">scotrn@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Doesn't stats_freq() set an interval to log stats to syslog already?<div><strong style="color:rgb(29,89,135);font-size:1.5em;font-family:"Droid Sans",Verdana,Helvetica,sans-serif"><br></strong></div><div><span style="color:rgb(29,89,135);font-family:"Droid Sans",Verdana,Helvetica,sans-serif">Description:</span><span style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0)"> The period between two </span><span class="m_-6893494746386807038m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115m_2272840704388001741gmail-highlight" style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0);background-color:rgb(255,222,123)">STATS</span><span style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0)"> messages in seconds. </span><span class="m_-6893494746386807038m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115m_2272840704388001741gmail-highlight" style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0);background-color:rgb(255,222,123)">STATS</span><span style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0)"> are log messages sent by syslog-ng, containing </span><span class="m_-6893494746386807038m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115m_2272840704388001741gmail-highlight" style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0);background-color:rgb(255,222,123)">stat</span><span style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0)">istics about dropped log messages. Set to </span><code class="m_-6893494746386807038m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115m_2272840704388001741gmail-userinput" style="color:rgb(0,0,0);font-family:Courier,fixed">0</code><span style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0)">to disable the </span><span class="m_-6893494746386807038m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115m_2272840704388001741gmail-highlight" style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0);background-color:rgb(255,222,123)">STATS</span><span style="font-family:"Droid Sans",Verdana,Helvetica,sans-serif;color:rgb(0,0,0)"> messages.</span><div><div><br></div><div>So </div><div>internal_src -> format > elasticsearch -> syslog-ng_stats index ?  </div></div></div></div><div class="m_-6893494746386807038m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115HOEnZb"><div class="m_-6893494746386807038m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 16, 2017 at 11:01 AM, Evan Rempel <span dir="ltr"><<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I have a perl script that collects some stats and logs them to syslog again. The syslog stream gets sent to ES, so they end up there, but as a syslog line, not a specific statistic item for things like grafana.<div><div class="m_-6893494746386807038m_-2246681816570163581m_-8420517622888457776m_-6715086831271444115m_2272840704388001741h5"><br>
<br>
On 10/15/2017 05:57 PM, Scot wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
  Looked around for a few hours and didn't see anything.<br>
<br>
Has anyone worked on sending syslog-ng stats to ES ?<br>
I see several ways I could but wondering if anyone has already. A push method directly from syslog-ng would be awesome.<br>
<br>
Scot<br>
<br>
</blockquote>
<br></div></div>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
</blockquote></div><br></div>
</div></div><br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div></div>
</div></div><br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div></div></div>
</blockquote></div><br></div>