This seems to be a problem with how Kibana is looking at the ES. from syslog-ng -F [2016-04-15T10:33:03.019083] org.syslog_ng.elasticsearch_v2.ElasticSearchDestination.createIndexRequest:95 - Outgoing log entry, json='{"PROGRAM":"asa11","PRIORITY":"warning","MESSAGE":"%ASA-4-313005: No matching connection for ICMP error message: icmp src outside:5.135.188.112 dst public:X.X.X.X (type 3, code 3) on outside interface. Original IP payload: udp src X.X.X.X/3306 dst 5.135.188.112/3306.","ISODATE":"2016-04-15T10:33:03-04:00","HOST”:”X.X.X.X","FACILITY":"local5","timestamp":"2016-04-15T10:33:03-04:00"}’; [2016-04-15T10:33:03.024982] org.syslog_ng.elasticsearch_v2.messageprocessor.ESSingleMessageProcessor.send:42 - Message inserted with id: syslog; I can see the files growing in ES. [root@loghost kibana]# find /var/lib/elasticsearch/ -newer /opt/syslog-ng/etc/syslog-ng.conf /var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/index /var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/index/_d.cfs /var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/index/_d.si /var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/index/_d.cfe /var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/index/segments_c /var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/translog /var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/translog/translog.ckp /var/lib/elasticsearch/syslog-ng/nodes/0/indices/.kibana/0/translog/translog-7.tlog /var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/index /var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/index/_6n5.cfs /var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/index/_6n5.si /var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/index/segments_4 /var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/index/_6n5.cfe /var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/translog /var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/translog/translog.ckp /var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/3/translog/translog-4.tlog /var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/_state /var/lib/elasticsearch/syslog-ng/nodes/0/indices/syslog-ng_2016.04.15/_state/state-3.st
On Apr 14, 2016, at 11:03 AM, Scot Needy <scotrn@gmail.com> wrote:
[root@loghost etc]# curl http://localhost:9200/_cat/indices yellow open .kibana 1 1 2 0 7.6kb 7.6kb yellow open syslog-ng_2016.04.13 5 1 1110 1 383.5kb 383.5kb yellow open syslog-ng_2016.04.14 5 1 1 0 11.8kb 11.8kb
On Apr 14, 2016, at 10:47 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
On Thu, Apr 14, 2016 at 09:41:42AM -0400, Scot Needy wrote:
I think all the TCP port connections are correct it’s just a configuration to get ES to store data.
show the contents of the following please:
wget http://localhost:9200/_cat/indices
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq