On 03/03/2016 09:45 PM, Fabien Wernli wrote:
Hi,
On Thu, Mar 03, 2016 at 02:27:34PM -0800, Evan Rempel wrote:
It seems like (I have not confirmed) that when the ES destination in syslog-ng is running in client_mode("node") it seems to run as if it were a full fledged ES node. This means that the syslog-ng destination can NOT run in this mode on a system that is also running the ES code. While your assumption that syslog-ng is running a fully fledged ES node is true, your conclusion is not. You *can* run both on the same host.
I interpret your statement as "you can run both *functions* on the same host, meaning that a host running syslog-ng and a syslog-ng instantiated ES node can ingest, index and store the ES documents. What I was stating was that you could not have an ES instance started by /sbin/service elasticsearch start AND one started by syslog-ng as a syslog-ng destination because that is effectively running two ES instances on one host (perhaps this can be done with different ports/IPs?) Correct me if I misunderstand. I'm still quite new to this. Evan.
On a side note, in "node" mode it would probably be possible to configure syslog-ng's ES instance to data=true, and thus make it actually store data. But I wouldn't recommend this unless it's the only process actually indexing data to ES.