Hi,

The official distro packages do not contain the elasticsearch destinations (missing dependencies from the distros to build it, not just openSUSE but all others as well). There are unofficial packages with java/elasticsearch. You can find the latest version of unofficial syslog-ng packages for openSUSE here: https://build.opensuse.org/project/show/home:czanik:syslog-ng316

As I can see, you use ElasticSearch 6.3. In that case only the http(s) client mode is supported. Everything for that is included in the syslog-ng package, you do not need to copy .jar files around.

Note, that libjvm.so needs to be available ( https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/28#TOPIC-956490 ) either through LD_LIBRARY_PATH or by adding it to ld.so.conf (the later is recommended, unless you have multiple Java versions on your machine). See https://www.syslog-ng.com/community/b/blog/posts/troubleshooting-java-support-syslog-ng/ for more details.

Let me know if you need any further help,

Peter

Peter Czanik (CzP) <peter.czanik@balabit.com>
Balabit / syslog-ng upstream
https://syslog-ng.com/blog/author/peterczanik/
https://twitter.com/PCzanik

On Tue, Jul 3, 2018 at 11:34 AM, T4iga <niklastai97@gmail.com> wrote:

Hello Syslog-NG community,

I am trying to configure syslog-ng to send messages to Elasticsearch for me to process them in Kibana. I get an error for the @module mod-java and the elasticsearch2 destination.

I am running OpenSuse 42.3.

syslog-ng --version:
syslog-ng 3.8.1
Installer-Version: 3.8.1
Revision:
Module-Directory: /usr/lib64/syslog-ng
Module-Path: /usr/lib64/syslog-ng
Available-Modules: add-contextual-data,afamqp,affile,afmongodb,afprog,afsocket,afstomp,afuser,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,graphite,json-plugin,kvformat,linux-kmsg-format,pseudofile,sdjournal,syslogformat,system-source
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: off

I have downloaded and extracted Elasticsearch 6.3.0 and placed it in /usr/local/bin/elasticsearch-6.3.0/. In accordance to this:
"Extract the Elasticsearch libraries into a temporary directory, then collect the various .jar files into
a single directory (for example, /opt/elasticsearch/lib/ ) where syslog-ng OSE can access
them. You must specify this directory in the syslog-ng OSE configuration file. The files are located
in the lib directory and its subdirectories of the Elasticsearch release package." (quoted from Syslog-NG OSE 3.15 Admin Guide, 7.3.1. Procedure – Prerequisites, Step 3, page 175)
I copied all JAR libraries inside elasticsearch-6.3.0/lib/ to the default path for syslog-ng plug-ins which is /usr/lib64/syslog-ng as stated below. Is this not what the step tells me to do?

I get the following error:

#[2018-07-03T11:20:39.403329] Plugin module not found in 'module-path'; module-path='/usr/lib64/syslog-ng', module='mod-java'
Error parsing destination, destination plugin elasticsearch2 not found in /etc/syslog-ng/syslog-ng.conf at line 141, column 2:

elasticsearch2(
^^^^^^^^^^^^^^

syslog-ng documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng

I seemt o be missing to necessary plug-ins:
mod-java
elasticsearch2

Where can I get these?
Feel free to request any additional info I might have missed out on.

Sincerely
Niklas Deffner

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq