|
Caution:
This driver is deprecated, use elasticsearch2 instead. |
Starting with version
Note the following limitations when using the syslog-ng OSE elasticsearch destination:
This destination is only supported on the Linux platform.
Since syslog-ng OSE uses the official Java Elasticsearch libraries, the elasticsearch destination has significant memory usage.
Sending messages over the HTTP REST API is supported only using the elastic2() destination. Note that in HTTP mode, the elasticsearch2 destination can send log messages to Elasticsearch version 1.x and newer. For details, see elasticsearch2: Sending logs directly to Elasticsearch and Kibana 2.0 or higher.
The log messages of the underlying client libraries are available in the internal() source of syslog-ng OSE.
@module mod-java @include "scl.conf" elasticsearch( index("syslog-ng_${YEAR}.${MONTH}.${DAY}") type("test") cluster("syslog-ng") );
The following example defines an elasticsearch destination that sends messages in transport mode to an Elasticsearch server version 1.x running on the localhost, using only the required parameters.
@module mod-java @include "scl.conf" destination d_elastic { elasticsearch( index("syslog-ng_${YEAR}.${MONTH}.${DAY}") type("test") ); };
The following example sends 10000 messages in a batch, in transport mode, and includes a custom unique ID for each message.
@module mod-java @include "scl.conf" options { threaded(yes); use-uniqid(yes); }; source s_syslog { syslog(); }; destination d_elastic { elasticsearch( index("syslog-ng_${YEAR}.${MONTH}.${DAY}") type("test") cluster("syslog-ng") client-mode("transport") custom-id("${UNIQID}") flush-limit("10000") ); }; log { source(s_syslog); destination(d_elastic); flags(flow-control); };
To install the software required for the elasticsearch destination, see Prerequisites.
For details on how the elasticsearch destination works, see How syslog-ng OSE interacts with Elasticsearch.
For the list of options, see Elasticsearch destination options.
The elasticsearch() driver is actually a reusable configuration snippet configured to receive log messages using the Java language-binding of syslog-ng OSE. For details on using or writing such configuration snippets, see Reusing configuration blocks. You can find the source of the elasticsearch configuration snippet on GitHub. For details on extending syslog-ng OSE in Java, see the Getting started with syslog-ng development guide.
|
NOTE:
If you delete all Java destinations from your configuration and reload syslog-ng, the JVM is not used anymore, but it is still running. If you want to stop JVM, stop syslog-ng and then start syslog-ng again. |
To send messages from syslog-ng OSE to Elasticsearch, complete the following steps.
If you want to use the Java-based modules of syslog-ng OSE (for example, the Elasticsearch, HDFS, or Kafka destinations), you must compile syslog-ng OSE with Java support.
Download and install the Java Runtime Environment (JRE), 1.7 (or newer).
Install gradle version 2.2.1 or newer.
Set LD_LIBRARY_PATH to include the libjvm.so file, for example:LD_LIBRARY_PATH=/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/server:$LD_LIBRARY_PATH
Note that many platforms have a simplified links for Java libraries. Use the simplified path if available. If you use a startup script to start syslog-ng OSE set LD_LIBRARY_PATH in the script as well.
If you are behind an HTTP proxy, create a gradle.properties under the modules/java-modules/ directory. Set the proxy parameters in the file. For details, see The Gradle User Guide.
Download the Elasticsearch libraries version 1.5 or newer from the 1.x line from https://www.elastic.co/downloads/elasticsearch. To use Elasticsearch 2.x or newer, use the elasticsearch2() destination (see elasticsearch2: Sending logs directly to Elasticsearch and Kibana 2.0 or higher).
Extract the Elasticsearch libraries into a temporary directory, then collect the various .jar files into a single directory (for example, /opt/elasticsearch/lib/) where syslog-ng OSE can access them. You must specify this directory in the syslog-ng OSE configuration file. The files are located in the lib directory and its subdirectories of the Elasticsearch release package.
The syslog-ng OSE application sends the log messages to the official Elasticsearch client library, which forwards the data to the Elasticsearch nodes. The way syslog-ng OSE interacts with Elasticsearch is described in the following steps.
After syslog-ng OSE is started and the first message arrives to the elasticsearch destination, the elasticsearch destination tries to connect to the Elasticsearch server or cluster. If the connection fails, syslog-ng OSE will repeatedly attempt to connect again after the period set in time-reopen() expires.
If the connection is established, syslog-ng OSE sends JSON-formatted messages to Elasticsearch.
If flush-limit is set to 1: syslog-ng OSE sends the message reliably: it sends a message to Elasticsearch, then waits for a reply from Elasticsearch. In case of failure, syslog-ng OSE repeats sending the message, as set in the retries() parameter. If sending the message fails for retries() times, syslog-ng OSE drops the message.
This method ensures reliable message transfer, but is slow (about 1000 messages/second).
If flush-limit is higher than 1: syslog-ng OSE sends messages in a batch, and receives the response asynchronously. In case of a problem, syslog-ng OSE cannot resend the messages.
This method is relatively fast (depending on the size of flush-limit, about 8000 messages/second), but the transfer is not reliable. In transport mode, over 5000-30000 messages can be lost before syslog-ng OSE recognizes the error. In node mode, about 1000 messages can be lost.
If concurrent-requests is higher than 1, syslog-ng OSE can send multiple batches simultaneously, increasing performance (and also the number of messages that can be lost in case of an error). For details, see concurrent-requests().
The syslog-ng OSE application can interact with Elasticsearch in transport mode or node mode.
The syslog-ng OSE application uses the transport client API of Elasticsearch, and uses the server(), port(), and cluster() options from the syslog-ng OSE configuration file.
The syslog-ng OSE application acts as an Elasticsearch node (client no-data), using the node client API of Elasticsearch. Further options for the node can be describe in an Elasticsearch configuration file specified in the resource() option.
|
NOTE:
In Node mode, it is required to define the home of the elasticsearch installation with the path.home paramter in the .yml file. For example: path.home: /usr/share/elasticsearch. |
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center