<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

</head>

<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">

I have had this config running happily for several months and today I tried to add the geoip2 plugin and managed to break everything.

<div class=""><br class="">

</div>

<div class="">I first realised that I needed to recompile syslog-ng to get the geoip2 plugin but forgot I was running a locally compiled version .</div>

<div class=""><br class="">

</div>

<div class="">I tried  <font face="Menlo" class="">apt install syslog-ng-mod-geoip

</font>and this broke things badly and I have been trying to recover for the last few hours :(</div>

<div class=""><br class="">

</div>

<div class="">The issue is that any attempt to start syslog-ng with the original config that includes a destination of elasticsearch_http get an error:</div>

<div class=""><br class="">

</div>

<div class="">Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.22/etc/syslog-ng.conf:33:3-33:21<br class="">

</div>

<div class=""><br class="">

</div>

<div class="">Judging from what I found on th ’Net  this is what one would expect if the syslog-ng version was prior to 3.21 and did not support the http dest.</div>

<div class=""><br class="">

</div>

<div class="">I first tried recompiling and installing 3.21 (in a different dir) with geoip2 enabled.  That went with out errors but still would not process my config.</div>

<div class=""><br class="">

</div>

<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class="">

<div class="">Aside:  At this point I found that in spite of having the geoip2 module included, syslog-ng failed to find it when I copied the setup from the manual.  long story short the manual says the module is ‘geoip2’ when in fact it is ‘geoip2-plugin’

 and that is the name you have to use in the @module.  Weird!</div>

</blockquote>

<div class=""><br class="">

</div>

<div class="">I then compiled 3.22 since I had the tar file and this behaved the same.</div>

<div class=""><br class="">

</div>

<div class="">

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; color: rgb(47, 180, 29);" class="">

<span style="font-variant-ligatures: no-common-ligatures" class=""><b class="">rful011@secmgrprd02</b></span><span style="font-variant-ligatures: no-common-ligatures; color: #000000" class="">:</span><span style="font-variant-ligatures: no-common-ligatures; color: #400bd9" class=""><b class="">~</b></span><span style="font-variant-ligatures: no-common-ligatures; color: #000000" class="">$

 cat short.conf </span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">@version: 3.21</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">@include "scl.conf"</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; min-height: 13px;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class=""></span><br class="">

</div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">@module geoip2-plugin</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; min-height: 13px;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class=""></span><br class="">

</div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">source s_loghost {</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">    network( transport("tcp") flags(no-multi-line) port(1514) keep-alive(yes));</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">};</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; min-height: 13px;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class=""></span><br class="">

</div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; min-height: 13px;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class=""></span><br class="">

</div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">destination d_elastic {</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">  elasticsearch_http(</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">    index("auth_${YEAR}.${MONTH}.${DAY}")</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">   type("auth")</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">   persist-name("auth")</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">    template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n")</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">    url("<a href="http://secesprd01.its.auckland.ac.nz:9200/_bulk" class="">http://secesprd01.its.auckland.ac.nz:9200/_bulk</a>")</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">  );</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">};</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; min-height: 13px;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class=""></span><br class="">

</div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">log {</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">    source(s_loghost);</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">    destination(d_elastic );</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">    flags(flow-control);</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">};</span></div>

</div>

<div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class="">

</span></div>

<div class=""><span style="font-variant-ligatures: no-common-ligatures" class="">

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures; color: #2fb41d" class=""><b class="">rful011@secmgrprd02</b></span><span style="font-variant-ligatures: no-common-ligatures" class="">:</span><span style="font-variant-ligatures: no-common-ligatures; color: #400bd9" class=""><b class="">~</b></span><span style="font-variant-ligatures: no-common-ligatures" class="">$

 /usr/local/syslog-ng-3.21/sbin/syslog-ng -s -c ~/short.conf </span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class=""><font color="#ff2600" class="">Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.21/etc/syslog-ng.conf:33:3-33:21:</font></span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">28                  file( "/home/rful011/test.log" template(t_db_parsed_test));</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">29       };</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">30      </span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">31      </span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">32      destination d_elastic {</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">33---->   elasticsearch_http(</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">33---->   ^^^^^^^^^^^^^^^^^^</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">34          index("auth_${YEAR}.${MONTH}.${DAY}")</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">35         type("auth")</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">36         persist-name("auth")</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">37          template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n")</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">38          url("<a href="http://secesprd01.its.auckland.ac.nz:9200/_bulk" class="">http://secesprd01.its.auckland.ac.nz:9200/_bulk</a>”)</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class=""><br class="">

</span></div>

<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">

<span style="font-variant-ligatures: no-common-ligatures" class="">

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures; color: #2fb41d" class=""><b class="">rful011@secmgrprd02</b></span><span style="font-variant-ligatures: no-common-ligatures" class="">:</span><span style="font-variant-ligatures: no-common-ligatures; color: #400bd9" class=""><b class="">~</b></span><span style="font-variant-ligatures: no-common-ligatures" class="">$

 /usr/local/syslog-ng-3.21/sbin/syslog-ng --version</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">syslog-ng 3 (3.21.1)</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Config version: 3.21</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Installer-Version: 3.21.1</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Revision: </span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Compile-Date: Mar 29 2020 11:57:39</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Module-Directory: /usr/local/syslog-ng-3.21/lib/syslog-ng</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Module-Path: /usr/local/syslog-ng-3.21/lib/syslog-ng</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Include-Path: /usr/local/syslog-ng-3.21/share/syslog-ng/include</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Available-Modules: add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,examples,geoip2-plugin,tfgetent,graphite,hook-commands,http,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,mod-python,snmptrapd-parser,stardate,syslogformat,system-source,tags-parser,xml</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Enable-Debug: off</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Enable-GProf: off</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Enable-Memtrace: off</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Enable-IPv6: on</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Enable-Spoof-Source: off</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Enable-TCP-Wrapper: off</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Enable-Linux-Caps: off</span></div>

<div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Enable-Systemd: off</span></div>

<div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class="">

</span></div>

</span></div>

<div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class="">

</span></div>

</span></div>

<div class=""><br class="">

</div>

</body>

</html>