Sorry, I wasn't implying that syslog-ng manage and apply the template to ES.

The template has already been applied to ES.

I was thinking I could use the mappings in the template to match mappings in syslog-ng.

If I wasn't clear before I'm trying to replicate what logstash writes directly to ES in syslog-ng so I can use syslog-ng as an aggregator of syslog and json data.

(beats ) ---> (logstash -TCP json output) ---> (syslog-ng TC input no-parse)

On Tue, May 16, 2017 at 3:38 AM, Fabien Wernli <wernli@in2p3.fr> wrote:

Hi,

On Mon, May 15, 2017 at 11:45:46PM -0400, Scot wrote:
> I tried reading the mapping documentation in the Balabit Latest docs but
> I'm not connecting these dots, sorry.
>
> Can I use the templates for creating the ES index as a reference for json
> mapping in syslog-ng ?

syslog-ng does not manage ES templates.
You must add those manually using the ES REST interface:

curl -XPOST 0:9200/_template/mytemplate -d@/tmp/mytemplate.json

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq