[syslog-ng] Cannot send Syslog-ng to Elasticsearch

Tue Jul 9 05:02:31 UTC 2019

Hello,

Regarding your elasticsearch issue:
Depending on your version I would suggest you to try out the new C based elasticsearch destination (there is no need for java setup).

The commit that introduced gives an example how to configure:

commit 381ceb14e578553faaef3ea005146cb988a9f444
Refs: {origin/pr/2509}, syslog-ng-3.18.1-374-g381ceb14e
Author:     Zoltan Pallagi <pzolee at balabit.com>
AuthorDate: Mon Feb 4 16:14:21 2019 +0100
Commit:     Zoltan Pallagi <pzolee at balabit.com>
CommitDate: Mon Feb 4 16:14:21 2019 +0100

    Added elasticsearch-http() destination

    This destination is based on the native http destination of syslog-ng
    and uses elasticsearch bulk api (https://www.elastic.co/guide/en/elasticsearch/reference/6.5/docs-bulk.html)

    Example:
    destination d_elasticsearch_http {
        elasticsearch-http(index("my_index")
     type("my_type")
     url("http://my_elastic_server:9200/_bulk"));
    };

Issue#1: I/O error occurred:
This issue should not be related to sending data to elasticsearch, as that seems like a network destination, which tries to send data to 9200 port, but the server cuts the connection (probably because malformed data). Curios enough the 92000 is a standard elasticsearch port.

Would you please share your configuration ? and/or what this destination supposed to do ?

--
kokan

________________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Allen Olivas <allen.olivas at infodefense.com>
Sent: 08 July 2019 23:22
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] Cannot send Syslog-ng to Elasticsearch

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hello,

Recently I’ve tried following along with the Syslog-NG to Elasticsearch and Kibana blog posts and Admin Documentation for integrating Syslog-NG into Elasticsearch but I’m unable to integrate the two.

I see in the .conf files the destination calls for creating and Index Pattern for Syslog-NG but when I curl the existing indices I do not see syslog-ng.

Also, I’m now receiving two errors. The first I’m fairly certain we need to resolve but I’ve not been able to find adequate documentation on how to identify the issue let along resolve it, and the second I’m not sure if we actually need to fix.

The two issues:

Issue#1: I/O error occurred
syslog-ng[26432]: Syslog connection established; fd='12', server='AF_INET(127.0.0.1:9200)', local='AF_INET(0.0.0.0:0)'
syslog-ng[26432]: I/O error occurred while writing; fd='12', error='Broken pipe (32)'
syslog-ng[26432]: Syslog connection broken; fd='12', server='AF_INET(127.0.0.1:9200)', time_reopen='60'

Issue#2: Error opening plugin module; module='mod-java', error='libjvm.so: cannot open shared object file: No such file or directory'

For issue 1 I’m not sure what to do or how to resolve it. For issue 2, I know for certain libjvm does exist, and I’ve mapped the LD_LIBRARY_PATH to the directory libjvm.so resides in.

Ultimately, are these two issues preventing Syslog-NG from sending to Elasticsearch or are they just separate issues to tackle after I get things cleared up, and most importantly if they’re not related, how do I integrate Syslog-NG with Elasticsearch and Kibana. Documentation is not helpful and not concise.

Thanks!