Elasticsearch destination and date macros
Hi All, I am having a problem getting the date macros (Year, Month, Day) to work in syslog-ng OSE when using the elasticsearch plugin. They work for file based outputs so I know the syntax is correct and being parsed correctly. I have now upgraded from syslog-ng 3.6 to syslog-ng 3.8.1, running on Ubuntu 16.04 but still the same symptoms. It is like the ${YEAR} is not being passed as a variable value For example I tried using the index name "syslog-ng-${YEAR}", starting syslog-ng with -Fevd: [2016-08-22T17:26:35.440602] Sending destination program a TERM signal; cmdline='/usr/share/syslog-ng/include/scl/elasticsearch/es-bridge localhost 9200 syslog-ng-${YEAR} syslog-ng', child_pid='12134' The index created in elasticsearch: yellow open syslog-ng- 5 1 239611 0 69.7mb 69.7mb Very simple syslog-ng.conf: destination d_elastic { elasticsearch(index("syslog-ng-${YEAR}") type("syslog-ng") ); }; log { source(s_netsyslog); destination(d_elastic); }; Is this a bug or have I missed something? Thanks
Hi Adam, On Mon, Aug 22, 2016 at 04:30:43PM +0000, Adam Carter wrote:
[2016-08-22T17:26:35.440602] Sending destination program a TERM signal; cmdline='/usr/share/syslog-ng/include/scl/elasticsearch/es-bridge localhost 9200 syslog-ng-${YEAR} syslog-ng', child_pid='12134'
This log line suggests you're using the deprecated python script which wraps the elasticsearch destination. It's surprising the script is still present on your system. Could you check by what package it's being provided? You should use the elasticsearch or elasticsearch2 destinations depending on your version. The best option here unless you need high throughput would be to use the elasticsearch2 destination with HTTP client mode as that would be the most compatible. It will require java on your system. Please check the online documentation on how to use the new destination.
participants (2)
-
Adam Carter
-
Fabien Wernli