[syslog-ng] Java issue with elasticsearch

Kókai Péter peter.kokai at balabit.com
Sun May 27 16:53:16 UTC 2018


Hello,

I have tried to reproduce your issue with the included configuration file,
but it did not cause me the same trouble.

If by any chance you have syslog-ng compiled with debug enabled, in that
case you can start with an additional flag: '-y' to debug the grammar
parser. (If yes, please share the result of that debug.)
(With -V flag you can determine if it is compiled with debug: syslog-ng -V)

If the debug mode is not possible you can still pinpoint where is the issue
by commenting out lines from configuration.

Or help me to reproduce this on my machine. I have tried to use ubuntu
18.04 docker image and installed syslog-ng from this repository:
http://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/xUbuntu_18.04

syslog-ng -V
syslog-ng 3 (3.15.1)
Config version: 3.15
Installer-Version: 3.15.1
Revision: 3.15.1-1
Compile-Date: Apr 19 2018 08:29:20


--
Kokan

On Fri, May 25, 2018 at 10:06 PM Komi Elitcha <kmw.elitcha at gmail.com> wrote:

> Kokan,
>
> Please see attached.
>
> Furthermore, the "log {---}" syntax is the one provided from install; i
> didn't  modify it.
>
> Regards,
>
> Le 25/05/2018 à 19:52, Kókai Péter a écrit :
>
> Hello,
>
> Would it be possible to share your configuration file as an attachment, or
> upload somewhere ?
>
> The error message indicates that the parser reached the end of the file(of
> course it is not), but it requires the ';' to close the previous block. It
> also points to the place where it found the file end.
>
> 177     log { source(s_src); filter(f_crit); destination(d_console); };
> 178--->
> 178---> ^
>
> Removing that empty line might also help. (It points to the empty line and
> not to the log)
>
> --
> Kokan
>
> On Fri, May 25, 2018 at 9:42 PM Komi Elitcha <kmw.elitcha at gmail.com>
> wrote:
>
>> Hello Kokan,
>>
>> I double checked inside '/etc/syslog-ng/syslog-ng.conf' file and i don't
>> have any '\r' carriage.
>>
>> Are you pointing me to another conf file?
>>
>> Regards,
>>
>> Le 25/05/2018 à 19:10, Kókai Péter a écrit :
>>
>> Hello,
>>
>> You probably have a '\r' carriage return in your configuration, that is
>> not supported. Remove it and it should work :)
>>
>> --
>> Kokan
>>
>> On Fri, May 25, 2018 at 8:59 PM Komi Elitcha <kmw.elitcha at gmail.com>
>> wrote:
>>
>>> Oups...
>>>
>>> Additionally, i'm getting an error saying that syslog-ng-core in not
>>> configured yet.
>>>
>>> I hope i didn't miss anything.
>>>
>>> Thanks.
>>>
>>> Le 25/05/2018 à 18:39, Komi Elitcha a écrit :
>>>
>>> Thank you Gabor,
>>>
>>> Your below comments were very helpful and i suspect i've solved the java
>>> issue (maybe i should open a new thread).
>>>
>>> After setting correctly the java env in bashrc, this the output i get
>>> from #syslog-ng -Fve command:
>>>
>>>
>>> Error parsing config, syntax error, unexpected $end, expecting ';' in
>>> /etc/syslog-ng/syslog-ng.conf:
>>> 173     log { source(s_src); filter(f_messages);
>>> destination(d_messages); };
>>> 174
>>> 175     log { source(s_src); filter(f_console);
>>> destination(d_console_all);
>>> 176                         destination(d_xconsole); };
>>> 177     log { source(s_src); filter(f_crit); destination(d_console); };
>>> 178--->
>>> 178---> ^
>>> 179     # All messages send to a remote site
>>> 180     #
>>> 181     #log { source(s_src); destination(d_net); };
>>> 182     log { source(s_net); destination(d_es); flags(flow-control); };
>>> 183
>>>
>>>
>>> I cannot see any syntax error (regarding the ';') in my syslong-ng.conf
>>> file. Is there any know bug related to this. Also, i wonder why "log {---}'
>>> syntaxes are returning errors.
>>>
>>>
>>> Regards,
>>>
>>>
>>>
>>>
>>> Le 25/05/2018 à 10:20, Nagy, Gábor a écrit :
>>>
>>> Sorry I forgot to link our blog post about common java problems.
>>> It could help and explain some common errors during installation.
>>>
>>> https://syslog-ng.com/blog/troubleshooting-java-support-syslog-ng/
>>>
>>> Regards,
>>> Gabor
>>>
>>> On Fri, May 25, 2018 at 11:35 AM, Nagy, Gábor <gabor.nagy at balabit.com>
>>> wrote:
>>>
>>>> Hi Komi!
>>>>
>>>> You need the java package for syslog-ng too: "syslog-ng-mod-java".
>>>> What is the source of the syslog-ng package you installed?
>>>>
>>>> You will need additional steps after you have installed the syslog-ng
>>>> java package.
>>>> In our admin we have detailed instructions to setup elasticsearch2
>>>> destination:
>>>>
>>>> https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/configuring-destinations-elasticsearch2.html
>>>>
>>>> Feel free to ask if you got stuck!
>>>>
>>>> Regards,
>>>> Gabor
>>>>
>>>> On Fri, May 25, 2018 at 10:49 AM, Komi Elitcha <kmw.elitcha at gmail.com>
>>>> wrote:
>>>>
>>>>> Good day all,
>>>>>
>>>>> I'm new to this mailing list.
>>>>>
>>>>> I'm setting up syslong-ng+elasticsearch+kibana on an Ubuntu 18.04; i'm
>>>>> getting the following output/error from command: ]#syslog-ng -Fve
>>>>>
>>>>>
>>>>> Error parsing destination, destination plugin java not found in block
>>>>> destination elasticsearch2 (at
>>>>> /usr/share/syslog-ng/include/scl/elasticsearch/plugin.conf:58:1):
>>>>> 1
>>>>> 2----->   java(
>>>>> 2----->   ^^^^
>>>>> 3
>>>>> class_path("/usr/lib/syslog-ng/3.15/java-modules/*.jar:/usr/lib/syslog-ng/3.15/java-modules/elastic-jest-client/*.jar:/opt/syslog-ng/jre1.8.0_171/lib//*.jar")
>>>>> 4 class_name("org.syslog_ng.elasticsearch_v2.ElasticSearchDestination")
>>>>> 5           option("index", "*log*")
>>>>> 6           option("type", "syslog")
>>>>> 7           option("server", "localhost")
>>>>>
>>>>> Included from /etc/syslog-ng/syslog-ng.conf:
>>>>> 90      # Debian only
>>>>> 91      destination d_ppp { file("/var/log/ppp.log"); };
>>>>> 92
>>>>> 93      # Elasticsearch destination
>>>>> 94      destination d_es {
>>>>> 95---->     elasticsearch2(
>>>>> 95---->     ^^^^^^^^^^^^^^^^
>>>>> 96                cluster("syslog-ng")
>>>>> 97                client-lib-dir("/usr/share/elasticsearch/lib/")
>>>>> 98 client-lib-dir("/opt/syslog-ng/jre1.8.0_171/lib/")
>>>>> 99                time-zone("UTC")
>>>>> 100               cluster-url("http://localhost:9200")
>>>>>
>>>>>
>>>>> Any help is welcome.
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>>> ______________________________________________________________________________
>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>> Documentation:
>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>
>>>>>
>>>>
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>> --
>>> --
>>> KE
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>> --
>> --
>> KE
>>
>>
> --
> --
> KE
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180527/a4896de9/attachment-0001.html>


More information about the syslog-ng mailing list