[syslog-ng] Syslog-ng input for beats ?
Fabien Wernli
wernli at in2p3.fr
Fri May 12 11:05:44 UTC 2017
Hi,
On Fri, May 12, 2017 at 06:38:46AM -0400, Scot wrote:
> I don't get it, I don't have that in my current ES target for syslog.
Kibana and most other frontends and maybe even libraries use the query's
time to infer the index name: syslog-ng_${YEAR}.${MONTH}.${DAY} in your
example. They use UTC timezone to do that. If you use localtime, like in
your example (implicit) documents having 00:30 as timestamp for example will
end up in the wrong index, and this will also depend on DST.
When you search for them in kibana you might end up with wrong
results.
TL;DR: use time-zone("UTC") in your elasticsearch destination whenever you
use time-based indices.
Maybe we should even add that to the default SCL.
More information about the syslog-ng
mailing list