_____________________________
From: Scot <scotrn@gmail.com>
Sent: Wednesday, January 18, 2017 3:33 AM
Subject: Re: [syslog-ng] Error initializing message pipeline;
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>, Fabien Wernli <wernli@in2p3.fr>

Is client-mode("transport") now supported with ES 5.1? I thought it was only http mode for ES 5.

I got pipeline error then switched to http thinking it was the transport mode. http worked fine.

On Tue, Jan 17, 2017 at 9:58 AM, Fabien Wernli <wernli@in2p3.fr> wrote:

Hi Damian,

You need to specify the location to your elasticsearch installation, i.e.
where the .jar files are installed.
If you're using the official packages from elastic.co, they are most likely
located here: /usr/share/elasticsearch/lib/

So your config ought to look like the following instead:

source s_syslog { udp(ip(0.0.0.0) port(514)); };

destination d_elastic {
elasticsearch2(
client-lib-dir("/usr/share/elasticsearch/lib/")
index("syslog-ng_${YEAR}.${MONTH}.${DAY}")
type("test")
cluster("someserver")
client-mode("transport")
template("$(format-json --scope rfc5424 --scope nv-pairs --exclude DATE --key ISODATE)")
time-zone("UTC")
);
};

Moreover, you might want to set the destination's timezone to UTC too, or
you'll have surprises in kibana around midnight UTC: time-zone("UTC")

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq