Hi Fabien,Ok after some deeper investigation I have found out the following:
template t_sonicwall {
template("$(format-json --scope all-nv-pairs --exclude MESSAGE,SOURCE,src.data,dst.data,cfield,nfield,mfield,fw.ip)");
};
## DESTINATIONS ##
destination d_elasticsearch {
elasticsearch2(
#client-lib-dir("/jarfiles/")
client-lib-dir("/jarfiles/*.jar:/usr/lib/syslog-ng/3.13/java-modules/elastic-jest-client/*.jar:/usr/lib/syslog-ng/3.13/java-modules/")
index("fw")
# index("fw-${YEAR}.${MONTH}.$(lowercase '${.classifier.class}')")
type("syslog")
#time-zone("UTC")
client_mode("http")
cluster("tst-docker-cluster")
#cluster_url("
http://192.168.32.100:9200")
cluster_url("
http://tst-es6:9200")
skip-cluster-health-check("yes")
template(t_sonicwall) flush-limit("1")
);
};
The template substitution in the destination does not seem to work - in the packet capture I can see syslog-ng sending just ’t_sonicwall’ as a string instead of replacing that with the template defined in the config file.
If in the destination I put the full line:
template("$(format-json --scope all-nv-pairs --exclude MESSAGE,SOURCE,src.data,dst.data,cfield,nfield,mfield,fw.ip)");
Things works correctly and a proper JSON object is sent to ES.
In my config file I tried both template(t_sonicwall) and template(“t_sonicwall”) as I am never sure what goes in quotes and what doesn’t.
I am not sure if this is a bug or just something wrong with the Docker image of syslog-ng - weird I am the only one experiencing this?
Thanks,