<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Thanks Fabien, I think I understand now! <span id="🙂">🙂</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span>Answering to Russel:</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span>As far as I know it is not possible to change the mapping type of an already created field in an already created index: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html#update-mapping">https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html#update-mapping</a></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
When started, syslog-ng does not create the index in ES, it relies on ES to create it itself with the default mapping types.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
If you want to have an index with custom mappings, you will have to create it yourself, before sending logs to it from syslog-ng.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I can come up with a possible enhancement:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
We could give the user an option, to set multiple field mapping types when configuring the elasticsearch-http() destination, and if it is set, syslog-ng will try to create the index with the given mapping types before sending the logs. Although, it does not
fit really well with the current implementation of elasticsearch-http(), it might be possible, that we can make it work.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
What do you think about this idea? Is this what you are looking for? <span id="🙂">
🙂</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span>Best regards,</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span>Attila</span></div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Fabien Wernli <wernli@in2p3.fr><br>
<b>Sent:</b> Monday, September 2, 2019 10:26 AM<br>
<b>To:</b> syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> Re: [syslog-ng] Elasticscearh-http dest wish list</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
<br>
Hi,<br>
<br>
On Mon, Sep 02, 2019 at 08:08:03AM +0000, Attila Szakacs (aszakacs) wrote:<br>
> Please correct me, if I misunderstood something.<br>
<br>
I think you misunderstood :)<br>
Russel was talking about the ES side of things : ES templates.<br>
The latter define the data types of fields in Elasticsearch.<br>
<br>
See<br>
<a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Findices-templates.html&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C8fa318fdd83541e91e2908d72f7f3cb5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637030095857078847&sdata=wPPnf6uO4gKDYZT1bmZNwAa1dTeBTcOuvg5UxLLUKEE%3D&reserved=0">https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Freference%2Fcurrent%2Findices-templates.html&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C8fa318fdd83541e91e2908d72f7f3cb5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637030095857078847&sdata=wPPnf6uO4gKDYZT1bmZNwAa1dTeBTcOuvg5UxLLUKEE%3D&reserved=0</a><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C8fa318fdd83541e91e2908d72f7f3cb5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637030095857078847&sdata=nhXDR7qKdda4%2Btxq5PG8%2B3TPWnPLxB5z7v4R%2B%2FuJyKc%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C8fa318fdd83541e91e2908d72f7f3cb5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637030095857078847&sdata=nhXDR7qKdda4%2Btxq5PG8%2B3TPWnPLxB5z7v4R%2B%2FuJyKc%3D&reserved=0</a><br>
Documentation: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C8fa318fdd83541e91e2908d72f7f3cb5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637030095857078847&sdata=FL8H7deOLn5iDDxURGTz4QYYg2CYcOT5g3DX2NHZftw%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C8fa318fdd83541e91e2908d72f7f3cb5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637030095857078847&sdata=FL8H7deOLn5iDDxURGTz4QYYg2CYcOT5g3DX2NHZftw%3D&reserved=0</a><br>
FAQ: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C8fa318fdd83541e91e2908d72f7f3cb5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637030095857078847&sdata=uFc4qtRKfVG2FLVWWzcz4ndyibDPcfl8lYT3sS8U9zA%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C8fa318fdd83541e91e2908d72f7f3cb5%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637030095857078847&sdata=uFc4qtRKfVG2FLVWWzcz4ndyibDPcfl8lYT3sS8U9zA%3D&reserved=0</a><br>
<br>
</div>
</span></font></div>
</body>
</html>