<div dir="ltr"><div>Hi,</div><div><br></div><div>You can make a copy of elasticsearch-http SCL like elasticsearch-http2 and adjust the http() block's body part to use create, instead of index.</div><div><br></div><div>- body("$(format-json --scope none --omit-empty-values
index._index=`index` index._type=`type`
index._id=`custom_id`)\n`template`") <br></div><div>+ body("$(format-json --scope none --omit-empty-values create._index=`index` index._type=`type`
index._id=`custom_id`)\n`template`")
</div><div><br></div><div><a href="https://github.com/syslog-ng/syslog-ng/blob/master/scl/elasticsearch/elastic-http.conf">https://github.com/syslog-ng/syslog-ng/blob/master/scl/elasticsearch/elastic-http.conf</a></div><div><br></div><div>Although this will make it work with data streams you will still have to take care of everything else just as with now called legacy indexes (templates, mapping).</div><div>Data streams on Kibana are quite new (7.0.9 or 7.10 maybe). It is still in flux.<br></div><div><br></div><div></div><div>ILM is mostly used for cases when you want to replace indexes according to storage tiers in multi node clusters (warm, hot, cold node) or want to have delete indexes older than a specified time.</div><div>If you just need a separate index for example every month, then use the data macros in the elasticsearch-http destination when you specify the index name.</div><div><br></div><div>/ Warning<br></div><div>I do not work for Elastic, these are my personal experiences.<br></div><div>
ILM highly depends on things like rollover alias, which is set by the index template - created by beats in advance - whenever a new index is created. And it is versioned.<br></div><div></div><div>Elasticsearch - the vendor - puts a lot of effort into making beats + Elasticsearch nodes themselves to work together.</div><div>However they always change something upon upgrades which requires great effort to accomodate in syslog-ng.<br></div><div><br></div><div>
If you use syslog-ng with Elasticsearch, I highly recommend to go full manually with everything, maybe add enrichments with Logstash.
</div><div>You should not mix things used by beats with syslog-ng (templates, mapping, ILM, pipelines, dashboards, etc).
</div><div>/<br></div><div><br></div><div>If you need some maintained examples, have a look at my configs.: <a href="https://github.com/abalage/balagetech-openwrt-syslog-ng-elasticsearch/blob/master/elasticsearch/template-network.json">https://github.com/abalage/balagetech-openwrt-syslog-ng-elasticsearch/blob/master/elasticsearch/template-network.json</a></div><div><br></div><div>Regards,</div><div>Balázs<br></div><div><br></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr"><<a href="mailto:syslog-ng-request@lists.balabit.hu">syslog-ng-request@lists.balabit.hu</a>> ezt írta (időpont: 2020. dec. 19., Szo, 13:00):<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send syslog-ng mailing list submissions to<br>
<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:syslog-ng-request@lists.balabit.hu" target="_blank">syslog-ng-request@lists.balabit.hu</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:syslog-ng-owner@lists.balabit.hu" target="_blank">syslog-ng-owner@lists.balabit.hu</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of syslog-ng digest..."<br>
Today's Topics:<br>
<br>
1. elasticsearch and ILM (Russell Fulton)<br>
<br><br><br>---------- Forwarded message ----------<br>From: Russell Fulton <<a href="mailto:r.fulton@auckland.ac.nz" target="_blank">r.fulton@auckland.ac.nz</a>><br>To: "Syslog-ng users' and developers' mailing list" <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a>><br>Cc: <br>Bcc: <br>Date: Sat, 19 Dec 2020 01:40:42 +0000<br>Subject: [syslog-ng] elasticsearch and ILM<br>I have been using the elasticsearch_http driver to push stuff into ES for well over a year. Now I am trying to use the Index Lifecycle Management (ILM) to manage these indexes and finding it very confusing. There seem to be holes in the ES docs and help on their forum is a bit erratic. <br>
<br>
The most confusing thing is the “rollover index alias” and I have yet to find a coherent explanation of exactly what it does and how to set it. Most of the documentation seems to assume you are using filebeat, logstash or datastreams.<br>
<br>
So far as I can see you syslog-ng can not write to datastreams as you need to use “create” rather than “index”. <br>
<br>
If anyone has a working set up that they are happy to share it would be wonderful.<br>
<br>
Russell_______________________________________________<br>
syslog-ng maillist - <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a><br>
<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
</blockquote></div></div>