<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
small correction to the test invocation of syslog-ng below. should be:
<div class="">
<div class=""><br class="">
</div>
<div class=""><font face="Menlo" class="">rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng -s
<font color="#ff2600" class="">-f</font> ~/short.conf </font></div>
<div class=""><font face="Menlo" class=""><br class="">
</font></div>
<div class=""><font face="Menlo" class="">rather than -c. It does not effect the error messages…. It was running on the full config not the stripped down one.</font></div>
<div class=""><font face="Menlo" class=""><br class="">
</font></div>
<div class=""><font face="Menlo" class="">R</font></div>
<div class=""><br class="">
<br class="">
<blockquote type="cite" class="">On 29/03/2020, at 4:03 PM, Russell Fulton <<a href="mailto:r.fulton@auckland.ac.nz" class="">r.fulton@auckland.ac.nz</a>> wrote:<br class="">
<br class="">
I have had this config running happily for several months and today I tried to add the geoip2 plugin and managed to break everything.<br class="">
<br class="">
I first realised that I needed to recompile syslog-ng to get the geoip2 plugin but forgot I was running a locally compiled version .<br class="">
<br class="">
I tried apt install syslog-ng-mod-geoip and this broke things badly and I have been trying to recover for the last few hours :(<br class="">
<br class="">
The issue is that any attempt to start syslog-ng with the original config that includes a destination of elasticsearch_http get an error:<br class="">
<br class="">
Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.22/etc/syslog-ng.conf:33:3-33:21<br class="">
<br class="">
Judging from what I found on th ’Net this is what one would expect if the syslog-ng version was prior to 3.21 and did not support the http dest.<br class="">
<br class="">
I first tried recompiling and installing 3.21 (in a different dir) with geoip2 enabled. That went with out errors but still would not process my config.<br class="">
<br class="">
Aside: At this point I found that in spite of having the geoip2 module included, syslog-ng failed to find it when I copied the setup from the manual. long story short the manual says the module is ‘geoip2’ when in fact it is ‘geoip2-plugin’ and that is the
name you have to use in the @module. Weird!<br class="">
<br class="">
I then compiled 3.22 since I had the tar file and this behaved the same.<br class="">
<br class="">
rful011@secmgrprd02:~$ cat short.conf <br class="">
@version: 3.21<br class="">
@include "scl.conf"<br class="">
<br class="">
@module geoip2-plugin<br class="">
<br class="">
source s_loghost {<br class="">
network( transport("tcp") flags(no-multi-line) port(1514) keep-alive(yes));<br class="">
};<br class="">
<br class="">
<br class="">
destination d_elastic {<br class="">
elasticsearch_http(<br class="">
index("auth_${YEAR}.${MONTH}.${DAY}")<br class="">
type("auth")<br class="">
persist-name("auth")<br class="">
template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n")<br class="">
url("<a href="http://secesprd01.its.auckland.ac.nz:9200/_bulk" class="">http://secesprd01.its.auckland.ac.nz:9200/_bulk</a>")<br class="">
);<br class="">
};<br class="">
<br class="">
log {<br class="">
source(s_loghost);<br class="">
destination(d_elastic );<br class="">
flags(flow-control);<br class="">
};<br class="">
<br class="">
rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng -s -c ~/short.conf <br class="">
Error parsing destination statement, destination plugin elasticsearch_http not found in /usr/local/syslog-ng-3.21/etc/syslog-ng.conf:33:3-33:21:<br class="">
28 file( "/home/rful011/test.log" template(t_db_parsed_test));<br class="">
29 };<br class="">
30 <br class="">
31 <br class="">
32 destination d_elastic {<br class="">
33----> elasticsearch_http(<br class="">
33----> ^^^^^^^^^^^^^^^^^^<br class="">
34 index("auth_${YEAR}.${MONTH}.${DAY}")<br class="">
35 type("auth")<br class="">
36 persist-name("auth")<br class="">
37 template( "$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n")<br class="">
38 url("http://secesprd01.its.auckland.ac.nz:9200/_bulk”)<br class="">
<br class="">
rful011@secmgrprd02:~$ /usr/local/syslog-ng-3.21/sbin/syslog-ng --version<br class="">
syslog-ng 3 (3.21.1)<br class="">
Config version: 3.21<br class="">
Installer-Version: 3.21.1<br class="">
Revision: <br class="">
Compile-Date: Mar 29 2020 11:57:39<br class="">
Module-Directory: /usr/local/syslog-ng-3.21/lib/syslog-ng<br class="">
Module-Path: /usr/local/syslog-ng-3.21/lib/syslog-ng<br class="">
Include-Path: /usr/local/syslog-ng-3.21/share/syslog-ng/include<br class="">
Available-Modules: add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,examples,geoip2-plugin,tfgetent,graphite,hook-commands,http,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,mod-python,snmptrapd-parser,stardate,syslogformat,system-source,tags-parser,xml<br class="">
Enable-Debug: off<br class="">
Enable-GProf: off<br class="">
Enable-Memtrace: off<br class="">
Enable-IPv6: on<br class="">
Enable-Spoof-Source: off<br class="">
Enable-TCP-Wrapper: off<br class="">
Enable-Linux-Caps: off<br class="">
Enable-Systemd: off<br class="">
<br class="">
<br class="">
<br class="">
______________________________________________________________________________<br class="">
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<br class="">
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<br class="">
FAQ: http://www.balabit.com/wiki/syslog-ng-faq<br class="">
<br class="">
</blockquote>
<br class="">
</div>
</div>
</body>
</html>