Thanks Fabien, I think I understand now! 🙂
Answering to Russel:
When started, syslog-ng does not create the index in ES, it relies on ES to create it itself with the default mapping types.
If you want to have an index with custom mappings, you will have to create it yourself, before sending logs to it from syslog-ng.
I can come up with a possible enhancement:
We could give the user an option, to set multiple field mapping types when configuring the elasticsearch-http() destination, and if it is set, syslog-ng will try to create the index with the given mapping types before sending the logs. Although, it does not
fit really well with the current implementation of elasticsearch-http(), it might be possible, that we can make it work.
What do you think about this idea? Is this what you are looking for?
🙂
Best regards,
Attila
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Fabien Wernli <wernli@in2p3.fr>
Sent: Monday, September 2, 2019 10:26 AM
To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Elasticscearh-http dest wish list