[syslog-ng] Help! CentOS 7 ELK Stack from repos no index data.

Scot Needy scotrn at gmail.com
Thu Sep 8 06:16:22 CEST 2016 

So, I rebuilt my home stand alone system and only used the supported 3.8 and ES 2.4 current repos. 

Everything seems to be up and running with no complaints but I am not getting any data in Kibana, syslog-ng_* index and I can’t figure out if it’s something in syslog-ng.conf. 

Getting a bunch of stuff in /var/log/network.log  from my cable modem but nothing is showing in discovery HELP!
I’ve looked at this for hours and tried so many variants on destination d_es 
client-mode, all supported template options… 

Only thing weird I can see is this in the es logs.  data=false

[2016-09-08 00:00:01,977][INFO ][cluster.metadata         ] [node-1] [syslog-ng_2016.09.08] creating index, cause [auto(bulk api)], templates [], shards [5]/[1], mappings []
[2016-09-08 00:00:02,108][INFO ][cluster.routing.allocation] [node-1] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[syslog-ng_2016.09.08][0], [syslog-ng_2016.09.08][0]] ...]).
[2016-09-08 00:00:02,127][INFO ][cluster.metadata         ] [node-1] [syslog-ng_2016.09.08] create_mapping [syslog-ng]
[2016-09-08 00:15:28,886][INFO ][cluster.service          ] [node-1] removed {{node-1}{kSmxkMoZQu6ZXvWWb70L5g}{127.0.0.1}{127.0.0.1:9301}{client=true, data=false},}, reason: zen-disco-node-left({node-1}{kSmxkMoZQu6ZXvWWb70L5g}{127.0.0.1}{127.0.0.1:9301}{client=true, data=false}), reason(left)
[2016-09-08 00:15:39,358][INFO ][cluster.service          ] [node-1] added {{node-1}{Df73oV_kQCubR5MeHiJnJA}{127.0.0.1}{127.0.0.1:9301}{client=true, data=false},}, reason: zen-disco-join(join from node[{node-1}{Df73oV_kQCubR5MeHiJnJA}{127.0.0.1}{127.0.0.1:9301}{client=true, data=false}])
[2016-09-08 00:15:44,409][INFO ][cluster.metadata         ] [node-1] [syslog-ng_2016.09.08] update_mapping [syslog-ng]
[2016-09-08 00:31:14,268][INFO ][cluster.service          ] [node-1] removed {{node-1}{Df73oV_kQCubR5MeHiJnJA}{127.0.0.1}{127.0.0.1:9301}{client=true, data=false},}, reason: zen-disco-node-left({node-1}{Df73oV_kQCubR5MeHiJnJA}{127.0.0.1}{127.0.0.1:9301}{client=true, data=false}), reason(left)
[2016-09-08 00:31:19,823][INFO ][cluster.service          ] [node-1] added {{node-1}{4h_70582RoWKL-jsAPzF4g}{127.0.0.1}{127.0.0.1:9301}{client=true, data=false},}, reason: zen-disco-join(join from node[{node-1}{4h_70582RoWKL-jsAPzF4g}{127.0.0.1}{127.0.0.1:9301}{client=true, data=false}])
[2016-09-08 00:38:29,163][INFO ][cluster.service          ] [node-1] removed {{node-1}{4h_70582RoWKL-jsAPzF4g}{127.0.0.1}{127.0.0.1:9301}{client=true, data=false},}, reason: zen-disco-node-left({node-1}{4h_70582RoWKL-jsAPzF4g}{127.0.0.1}{127.0.0.1:9301}{client=true, data=false}), reason(left)


https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-repositories.html <https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-repositories.html>
https://www.elastic.co/guide/en/kibana/4.6/setup-repositories.html <https://www.elastic.co/guide/en/kibana/4.6/setup-repositories.html>
https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng38/repo/epel-7/czanik-syslog-ng38-epel-7.repo <https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng38/repo/epel-7/czanik-syslog-ng38-epel-7.repo> 

[root at meo syslog-ng]# cat  /etc/syslog-ng/syslog-ng.conf
@version:3.8
@include "scl.conf"
@module mod-java

options {
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    chain_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (yes);
    keep_hostname (yes);
    ts_format(iso);
};

source s_netsyslog {
       	udp();
       	tcp();
       	syslog();
};

source s_sys {
    system();
    internal();
};

destination d_es {
       	elasticsearch2(
       		index("syslog-ng_${YEAR}.${MONTH}.${DAY}")
       		type("syslog-ng") # Description: The type of the index. For example, type("test")
       		port("9300")
       		server("127.0.0.1")
       		concurrent-requests("5")
       		flush_limit("1")
       		client-mode("transport")
       		skip-cluster-health-check("yes")
       		cluster("meo")
       		custom_id("syslog-ng")
       		resource("/etc/elasticsearch/elasticsearch.yml")
       		client_lib_dir("/usr/share/elasticsearch/lib")
       		concurrent_requests("100")
       	);
};

destination d_netsyslog { file("/var/log/network.log" owner("root") group("root") perm(0644)); };

log {
       	source(s_netsyslog);
       	destination(d_es);
 };

log {
       	source(s_sys);
        source(s_netsyslog);
        destination(d_netsyslog);
 };


# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160908/2ff6d046/attachment.htm

More information about the syslog-ng mailing list