<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Fabien,<br class="">I have tried the following:<br class=""><br class="">- emptying all index/docs in ES<br class="">- create the test/test index with the CURL in my email<br class="">- pointing syslog ES destination to the test/test index <br class=""><br class="">This resulted in the same error again.<br class=""><br class="">I have tried to change the template to just output all nv-pairs and use a complete new index - same error.<br class=""><br class="">Grabbing some packet capture now to see if I can spot anything wrong.<br class=""><br class="">Marco<br class=""><div><br class=""><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class=""></blockquote>On 28 Jan 2018, at 14:19, Fabien Wernli <<a href="mailto:wernli@in2p3.fr" class="">wernli@in2p3.fr</a>> wrote:<br class=""><blockquote type="cite" class=""></blockquote><font color="#00afcd" class=""><br class=""></font><blockquote type="cite" class=""></blockquote>Hi,<br class=""><blockquote type="cite" class=""></blockquote><font color="#00afcd" class=""><br class=""></font><blockquote type="cite" class=""></blockquote>The reason I asked you to configure syslogng to index to "test" was to make<br class=""><blockquote type="cite" class=""></blockquote>sure you are in the same conditions as your curl command.<br class=""><blockquote type="cite" class=""></blockquote>You might for instance have a mapping template matching fw-* but not test.<br class=""><blockquote type="cite" class=""></blockquote><font color="#00afcd" class=""><br class=""></font><blockquote type="cite" class=""></blockquote>Please either configure syslogng to index to test, or use the same fw- index<br class=""><blockquote type="cite" class=""></blockquote>on the curl cmdline.<br class=""><blockquote type="cite" class=""></blockquote><font color="#00afcd" class=""><br class=""></font><blockquote type="cite" class=""></blockquote>______________________________________________________________________________<br class=""><blockquote type="cite" class=""></blockquote>Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" class="">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br class=""><blockquote type="cite" class=""></blockquote>Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" class="">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br class=""><blockquote type="cite" class=""></blockquote>FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" class="">http://www.balabit.com/wiki/syslog-ng-faq</a><br class=""><br class=""></div></div></blockquote><font color="#5856d6" class=""><br class=""></font></div><br class=""></body></html>