Sorry, I wasn't implying that syslog-ng manage and apply the template to ES. The template has already been applied to ES. I was thinking I could use the mappings in the template to match mappings in syslog-ng. If I wasn't clear before I'm trying to replicate what logstash writes directly to ES in syslog-ng so I can use syslog-ng as an aggregator of syslog and json data. (beats ) ---> (logstash -TCP json output) ---> (syslog-ng TC input no-parse) On Tue, May 16, 2017 at 3:38 AM, Fabien Wernli <wernli@in2p3.fr> wrote:

Hi,

On Mon, May 15, 2017 at 11:45:46PM -0400, Scot wrote:

...

I tried reading the mapping documentation in the Balabit Latest docs but I'm not connecting these dots, sorry.

Can I use the templates for creating the ES index as a reference for json mapping in syslog-ng ?

syslog-ng does not manage ES templates. You must add those manually using the ES REST interface:

curl -XPOST 0:9200/_template/mytemplate -d@/tmp/mytemplate.json

____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq