[syslog-ng] Stupid E-S-K Question
Scheidler, Balázs
balazs.scheidler at balabit.com
Fri Jan 27 07:41:04 UTC 2017
So syslog-ng does send HOST in its output, so the problem is probably on
the es side.
On Jan 26, 2017 23:07, "Scot" <scotrn at gmail.com> wrote:
> On My test instance the only thing kibana shows are the "keyword" fields
> like HOST_FROM.keyword but production has both HOST_FROM and
> HOST_FROM.keyword.
>
> Perhaps from a previous es index or something ?
>
> Jan 26 16:54:19 TheBarn Cannot find cache entry for mac 9c:e6:35:f2:cd:93
> ret=-1
> Jan 26 16:54:49 TheBarn Cannot find cache entry for mac 9c:e6:35:f2:cd:93
> ret=-1
> *Output format applied *
> {"SOURCE":"s_net","PROGRAM":"Cannot","PRIORITY":"warning","MESSAGE":"find
> cache entry for mac 9c:e6:35:f2:cd:93 ret=-1","LEGACY_MSGHDR":"Cannot
> ","ISODATE":"2017-01-26T16:55:19-05:00","HOST_FROM":"192.
> 168.1.1","HOST":"TheBarn","FACILITY":"user","DATE":"Jan 26 16:55:19"}
> {"SOURCE":"s_net","PROGRAM":"Cannot","PRIORITY":"warning","MESSAGE":"find
> cache entry for mac 9c:e6:35:f2:cd:93 ret=-1","LEGACY_MSGHDR":"Cannot
> ","ISODATE":"2017-01-26T16:55:49-05:00","HOST_FROM":"192.
> 168.1.1","HOST":"TheBarn","FACILITY":"user","DATE":"Jan 26 16:55:49"}
>
>
> On Wed, Jan 25, 2017 at 1:22 AM, Scheidler, Balázs <
> balazs.scheidler at balabit.com> wrote:
>
>> Can you post the format-json output so we can see if the HOST attribute
>> is there?
>>
>> debug mode in syslog-ng should show that. Or alternatively you can use
>> the same template to write to a throwaway logfile.
>>
>> On Jan 25, 2017 5:56 AM, "Scot" <scotrn at gmail.com> wrote:
>>
>>> *E*lastic, *S*yslog-ng *K*ibana
>>>
>>> Upgraded to latest of ES Stack, Kibana 5 and syslog-ng 3.9.1
>>>
>>> I had a Kibana dashboard with a bar chart of unique count of systems
>>> that had sent a syslog heartbeat. So I could see any missed heartbeats for
>>> any host in the last 24 hours.
>>>
>>> Post upgrade of syslog-ng the host_from, host fields do not seem to come
>>> into ES as usable fields because they are not indexed. So visualizations
>>> "bar charts by unique 'host" is broken. Has anyone seen this?
>>>
>>>
>>> client-mode("http")
>>> index("syslog-ng_${YEAR}.${MONTH}.${DAY}")
>>> type("syslog") # Description: The type of the index. For
>>> example, type("test")
>>> template("$(format-json --scope rfc3164 --scope nv-pairs
>>> --exclude R_DATE --key ISODATE)\n")
>>>
>>>
>>>
>>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support
>>> /documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170127/762704a8/attachment.html>
More information about the syslog-ng
mailing list