[syslog-ng] Help with ES destination error

Marco Mignone info at marcomignone.com
Wed Jan 31 11:50:42 UTC 2018 

Furthermore to my previous email looks like the substitution does not work in the ES destination options.

Instead in a file destination works perfectly.

destination d_json {
  file("/var/log/json.log" template(t_sonicwall));
};

Marco

> On 31 Jan 2018, at 11:26, Marco Mignone <info at marcomignone.com> wrote:
> 
> Hi Fabien,
> Ok after some deeper investigation I have found out the following:
> 
> template t_sonicwall {
>     template("$(format-json --scope all-nv-pairs --exclude MESSAGE,SOURCE,src.data,dst.data,cfield,nfield,mfield,fw.ip)");
> };
> 
> ## DESTINATIONS ##
> 
> destination d_elasticsearch {
>   elasticsearch2(
>     #client-lib-dir("/jarfiles/")
>     client-lib-dir("/jarfiles/*.jar:/usr/lib/syslog-ng/3.13/java-modules/elastic-jest-client/*.jar:/usr/lib/syslog-ng/3.13/java-modules/")
>     index("fw")
>     # index("fw-${YEAR}.${MONTH}.$(lowercase '${.classifier.class}')")
>     type("syslog")
>     #time-zone("UTC")
>     client_mode("http")
>     cluster("tst-docker-cluster")
>     #cluster_url("http://192.168.32.100:9200 <http://192.168.32.100:9200/>")
>     cluster_url("http://tst-es6:9200 <http://tst-es6:9200/>")
>     skip-cluster-health-check("yes")
>     template(t_sonicwall)
>     flush-limit("1")
>   );
> };
> 
> The template substitution in the destination does not seem to work - in the packet capture I can see syslog-ng sending just ’t_sonicwall’ as a string instead of replacing that with the template defined in the config file.
> If in the destination I put the full line:
>     template("$(format-json --scope all-nv-pairs --exclude MESSAGE,SOURCE,src.data,dst.data,cfield,nfield,mfield,fw.ip)");
>  
> Things works correctly and a proper JSON object is sent to ES.
> In my config file I tried both     template(t_sonicwall) and     template(“t_sonicwall”) as I am never sure what goes in quotes and what doesn’t.
> 
> I am not sure if this is a bug or just something wrong with the Docker image of syslog-ng - weird I am the only one experiencing this?
> 
> Thanks,
> Marco

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180131/e21524ae/attachment.html>

More information about the syslog-ng mailing list