Version
To connect to an Elasticsearch 5.x or newer cluster, use HTTPS mode.
Install the Search Guard plugin on your syslog-ng OSE host. Use the plugin version that matches the version of your Elasticsearch installation.
sudo /usr/share/elasticsearch/bin/plugin install -b com.floragunn/search-guard-ssl/<version-number-of-the-plugin>
Create a certificate for your syslog-ng OSE host, and add the certificate to the SYSLOG_NG-NODE_NAME-keystore.jks file. You can configure the location of this file in the Elasticsearch resources file under the path.conf parameter. For details, see the Search Guard documentation.
Configure an Elasticsearch destination in syslog-ng OSE that uses the searchguard client mode. For example:
destination d_elasticsearch { elasticsearch2( client-lib-dir("/usr/share/elasticsearch/plugins/search-guard-ssl/*.jar:/usr/share/elasticsearch/lib") index("syslog-${YEAR}.${MONTH}.${DAY}") type("syslog") time-zone("UTC") client-mode("searchguard") resource("/etc/syslog-ng/elasticsearch.yml") ); };
Configure the Elasticsearch resource file (for example, /etc/syslog-ng/elasticsearch.yml) as needed for your environment. Note the searchguard: section.
cluster: name: elasticsearch discovery: zen: ping: unicast: hosts: - <ip-address-of-the-elasticsearch-server> node: name: syslog_ng_secure data; false master: false path: home: /etc/syslog-ng conf: /etc/syslog-ng searchguard: ssl: transport: keystore_filepath: syslog_ng-keystore.jks keystore_password: changeit truststore_filepath: truststore.jks truststore_password: changeit enforce_hostname_verification: true
|
Caution:
This destination is deprecated and will be removed from a future version of syslog-ng OSE. We recommend using the elasticsearch-http: Sending messages to Elasticsearch HTTP Bulk API destination instead. |
The elasticsearch2 destination can directly send log messages to Elasticsearch, allowing you to search and analyze your data in real time, and visualize it with Kibana. The elasticsearch2 destination has the following options.
The following options are required: index(), type(). In node mode, either the cluster() or the resource() option is required as well. Note that to use elasticsearch2, you must add the following lines to the beginning of your syslog-ng OSE configuration:
@include "scl.conf"
Type: | string |
Default: | The syslog-ng OSE module directory: /opt/syslog-ng/lib/syslog-ng/java-modules/ |
Description: The list of the paths where the required Java classes are located. For example, class-path("/opt/syslog-ng/lib/syslog-ng/java-modules/:/opt/my-java-libraries/libs/"). If you set this option multiple times in your syslog-ng OSE configuration (for example, because you have multiple Java-based destinations), syslog-ng OSE will merge every available paths to a single list.
Description: Include the path to the directory where you copied the required libraries (see Prerequisites), for example, client-lib-dir(/user/share/elasticsearch-2.2.0/lib).
Type: | |
Default: | node |
Description: Specifies the client mode used to connect to the Elasticsearch server, for example, client-mode("node").
The syslog-ng OSE application sends messages over HTTP using the REST API of Elasticsearch, and uses the cluster-url() and cluster() options from the syslog-ng OSE configuration file. In HTTP mode, syslog-ng OSEelasticsearch2 driver can send log messages to every Elasticsearch version, including 1.x-6.x. Note that HTTP mode is available in syslog-ng OSE version
In version
The syslog-ng OSE application sends messages over an encrypted and optionally authenticated HTTPS channel using the REST API of Elasticsearch, and uses the cluster-url() and cluster() options from the syslog-ng OSE configuration file. In HTTPS mode, syslog-ng OSEelasticsearch2 driver can send log messages to every Elasticsearch version, including 1.x-6.x. Note that HTTPS mode is available in syslog-ng OSE version
This mode supports password-based and certificate-based authentication of the client, and can verify the certificate of the server as well.
In version
The syslog-ng OSE application uses the transport client API of Elasticsearch, and uses the server(), port(), and cluster() options from the syslog-ng OSE configuration file.
The syslog-ng OSE application acts as an Elasticsearch node (client no-data), using the node client API of Elasticsearch. Further options for the node can be describe in an Elasticsearch configuration file specified in the resource() option.
NOTE: In Node mode, it is required to define the home of the elasticsearch installation with the path.home parameter in the .yml file. For example: path.home: /usr/share/elasticsearch.
Use the Search Guard Elasticsearch plugin to encrypt and authenticate your connections from syslog-ng OSE to Elasticsearch 2.x. For Elasticsearch versions 5.x and newer, use HTTPS mode. For details on configuring Search Guard mode, see Search Guard and syslog-ng OSE.
Type: | string |
Default: | N/A |
Description: Specifies the name or the Elasticsearch cluster, for example, cluster("my-elasticsearch-cluster"). Optionally, you can specify the name of the cluster in the Elasticsearch resource file. For details, see resource().
Type: | string |
Default: | N/A |
Description: Specifies the URL or the Elasticsearch cluster, for example, cluster-url("http://192.168.10.10:9200")"). Note that this option works only in HTTP mode: client-mode(http)
In version
For example:
destination d_elasticsearch { elasticsearch2( client-lib-dir("/usr/share/elasticsearch/lib/") index("syslog-${YEAR}.${MONTH}.${DAY}") type("syslog") time-zone("UTC") client-mode("http") cluster-url("http://node01:9200 http://node02:9200") ); };
Type: | number |
Default: | 0 |
Description: The number of concurrent (simultaneous) requests that syslog-ng OSE sends to the Elasticsearch server. Set this option to 1 or higher to increase performance. When using the concurrent-requests() option, make sure that the flush-limit() option is higher than one, otherwise it will not have any noticeable effect. For details, see flush-limit().
|
Caution:
Hazard of data loss! Using the concurrent-requests() option increases the number of messages lost in case the Elasticsearch server becomes unaccessible. |
Type: | template or template function |
Default: | N/A |
Description: Use this option to specify a custom ID for the records inserted into Elasticsearch. If this option is not set, the Elasticsearch server automatically generates and ID for the message. For example: custom-id(${UNIQID}) (Note that to use the ${UNIQID} macro, the use-uniqid() global option must be enabled. For details, see use-uniqid().)
Description: This option enables putting outgoing messages into the disk buffer of the destination to avoid message loss in case of a system failure on the destination side. It has the following options:
reliable() | |||
Type: | yes|no | ||
Default: | no | ||
Description: If set to yes, syslog-ng OSE cannot lose logs in case of reload/restart, unreachable destination or syslog-ng OSE crash. This solution provides a slower, but reliable disk-buffer option. It is created and initialized at startup and gradually grows as new messages arrive. If set to no, the normal disk-buffer will be used. This provides a faster, but less reliable disk-buffer option.
|
compaction() | |
Type: | yes|no |
Default: | no |
Description: If set to yes, syslog-ng OSE prunes the unused space in the LogMessage representation, making the disk queue size smaller at the cost of some CPU time. Setting the compaction() argument to yes is recommended when numerous name-value pairs are unset during processing, or when the same names are set multiple times. |
NOTE: Simply unsetting these name-value pairs by using the unset() rewrite operation is not enough, as due to performance reasons that help when syslog-ng is CPU bound, the internal representation of a LogMessage will not release the memory associated with these name-value pairs. In some cases, however, the size of this overhead becomes significant (the raw message size can grow up to four times its original size), which unnecessarily increases the disk queue file size. For these cases, the compaction will drop "unset" values, making the LogMessage representation smaller at the cost of some CPU time required to perform compaction.
disk-buf-size() | |
Type: | number (bytes) |
Default: | |
Description: This is a required option. The maximum size of the disk-buffer in bytes. The minimum value is 1048576 bytes. If you set a smaller value, the minimum value will be used automatically. It replaces the old log-disk-fifo-size() option. |
mem-buf-length() | |
Type: | number (messages) |
Default: | 10000 |
Description: Use this option if the option reliable() is set to no. This option contains the number of messages stored in overflow queue. It replaces the old log-fifo-size() option. It inherits the value of the global log-fifo-size() option if provided. If it is not provided, the default value is 10000 messages. Note that this option will be ignored if the option reliable() is set to yes. |
mem-buf-size() | |
Type: | number (bytes) |
Default: | 163840000 |
Description: Use this option if the option reliable() is set to yes. This option contains the size of the messages in bytes that is used in the memory part of the disk buffer. It replaces the old log-fifo-size() option. It does not inherit the value of the global log-fifo-size() option, even if it is provided. Note that this option will be ignored if the option reliable() is set to no. |
qout-size() | |
Type: | number (messages) |
Default: | 64 |
Description: The number of messages stored in the output buffer of the destination. Note that if you change the value of this option and the disk-buffer already exists, the change will take effect when the disk-buffer becomes empty. |
Options reliable() and disk-buf-size() are required options.
In the following case reliable disk-buffer() is used.
destination d_demo { network( "127.0.0.1" port(3333) disk-buffer( mem-buf-size(10000) disk-buf-size(2000000) reliable(yes) dir("/tmp/disk-buffer") ) ); };
In the following case normal disk-buffer() is used.
destination d_demo { network( "127.0.0.1" port(3333) disk-buffer( mem-buf-length(10000) disk-buf-size(2000000) reliable(no) dir("/tmp/disk-buffer") ) ); };
Type: | number |
Default: | 5000 |
Description: The number of messages that syslog-ng OSE sends to the Elasticsearch server in a single batch.
If flush-limit is set to 1: syslog-ng OSE sends the message reliably: it sends a message to Elasticsearch, then waits for a reply from Elasticsearch. In case of failure, syslog-ng OSE repeats sending the message, as set in the retries() parameter. If sending the message fails for retries() times, syslog-ng OSE drops the message.
This method ensures reliable message transfer, but is slow (about 1000 messages/second).
If flush-limit is higher than 1: syslog-ng OSE sends messages in a batch, and receives the response asynchronously. In case of a problem, syslog-ng OSE cannot resend the messages.
This method is relatively fast (depending on the size of flush-limit, about 8000 messages/second), but the transfer is not reliable. In transport mode, over 5000-30000 messages can be lost before syslog-ng OSE recognizes the error. In node mode, about 1000 messages can be lost.
If concurrent-requests is higher than 1, syslog-ng OSE can send multiple batches simultaneously, increasing performance (and also the number of messages that can be lost in case of an error).
Type: | number |
Default: | 0 |
Description: The syslog-ng application can store fractions of a second in the timestamps according to the ISO8601 format. The frac-digits() parameter specifies the number of digits stored. The digits storing the fractions are padded by zeros if the original timestamp of the message specifies only seconds. Fractions can always be stored for the time the message was received.
NOTE: The syslog-ng OSE application can add the fractions to non-ISO8601 timestamps as well.
NOTE: As syslog-ng OSE is precise up to the microsecond, when the frac-digits() option is set to a value higher than 6, syslog-ng OSE will truncate the fraction seconds in the timestamps after 6 digits.
Description: This option makes it possible to execute external programs when the relevant driver is initialized or torn down. The hook-commands() can be used with all source and destination drivers with the exception of the usertty() and internal() drivers.
NOTE: The syslog-ng OSE application must be able to start and restart the external program, and have the necessary permissions to do so. For example, if your host is running AppArmor or SELinux, you might have to modify your AppArmor or SELinux configuration to enable syslog-ng OSE to execute external applications.
To execute an external program when syslog-ng OSE starts or stops, use the following options:
startup() | |
Type: | string |
Default: | N/A |
Description: Defines the external program that is executed as syslog-ng OSE starts. |
shutdown() | |
Type: | string |
Default: | N/A |
Description: Defines the external program that is executed as syslog-ng OSE stops. |
To execute an external program when the syslog-ng OSE configuration is initiated or torn down, for example, on startup/shutdown or during a syslog-ng OSE reload, use the following options:
setup() | |
Type: | string |
Default: | N/A |
Description: Defines an external program that is executed when the syslog-ng OSE configuration is initiated, for example, on startup or during a syslog-ng OSE reload. |
teardown() | |
Type: | string |
Default: | N/A |
Description: Defines an external program that is executed when the syslog-ng OSE configuration is stopped or torn down, for example, on shutdown or during a syslog-ng OSE reload. |
In the following example, the hook-commands() is used with the network() driver and it opens an iptables port automatically as syslog-ng OSE is started/stopped.
The assumption in this example is that the LOGCHAIN chain is part of a larger ruleset that routes traffic to it. Whenever the syslog-ng OSE created rule is there, packets can flow, otherwise the port is closed.
source { network(transport(udp) hook-commands( startup("iptables -I LOGCHAIN 1 -p udp --dport 514 -j ACCEPT") shutdown("iptables -D LOGCHAIN 1") ) ); };
Type: | none | basic | clientcert |
Default: | none |
Description: Determines how syslog-ng OSE authenticates to the Elasticsearch server. Depending on the value of this option, you might have to set other options as well. Possible values:
none: Connect to the Elasticsearch server without authentication.
basic: Use password authentication. Also set the http-auth-type-basic-username and http-auth-type-basic-password options.
clientcert: Use a certificate to authenticate. The certificate must be available in a Java keystore. Also set the java-keystore-filepath and java-keystore-password options.
This option is used only in HTTPS mode: client-mode("https"), and is available in syslog-ng OSE version
The following simple examples show the different authentication modes.
Simple password authentication:
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("basic") http-auth-type-basic-username("example-username") http-auth-type-basic-password("example-password") ); };
Certificate authentication:
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("clientcert") java-keystore-filepath("<path-to-your-java-keystore>.jks") java-keystore-password("password-to-your-keystore") ); };
Verify the certificate of the Elasticsearch server without authentication:
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("none") java-truststore-filepath("<path-to-your-java-keystore>.jks") java-truststore-password("password-to-your-keystore") ); };
Verify the certificate of the Elasticsearch server and perform certificate authentication (this is actually a mutual, certificate-based authentication between the syslog-ng OSE client and the Elasticsearch server):
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("clientcert") java-keystore-filepath("&lt;path-to-your-java-keystore&gt;.jks") java-keystore-password("password-to-your-keystore") java-truststore-filepath("&lt;path-to-your-java-keystore&gt;.jks") java-truststore-password("password-to-your-keystore") ); };
Type: | string |
Default: | N/A |
Description: The password to use for password-authentication on the Elasticsearch server. You must also set the http-auth-type-basic-username option.
This option is used only in HTTPS mode with basic authentication: client-mode("https") and http-auth-type("basic"), and is available in syslog-ng OSE version
Simple password authentication:
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("basic") http-auth-type-basic-username("example-username") http-auth-type-basic-password("example-password") ); };
Type: | string |
Default: | N/A |
Description: The username to use for password-authentication on the Elasticsearch server. You must also set the http-auth-type-basic-password option.
This option is used only in HTTPS mode with basic authentication: client-mode("https") and http-auth-type("basic"), and is available in syslog-ng OSE version
Simple password authentication:
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("basic") http-auth-type-basic-username("example-username") http-auth-type-basic-password("example-password") ); };
Type: | string |
Default: | N/A |
Description: Name of the Elasticsearch index to store the log messages. You can use macros and templates as well.
Type: | string |
Default: | N/A |
Description: Path to the Java keystore file that stores the certificate that syslog-ng OSE uses to authenticate on the Elasticsearch server. You must also set the java-keystore-password option.
To import a certificate into a Java keystore, use the appropriate tool of your Java implementation. For example, on Oracle Java, you can use the keytool utility:
keytool -import -alias ca -file <certificate-to-import> -keystore <keystore-to-import> -storepass <password-to-the-keystore>
This option is used only in HTTPS mode with basic authentication: client-mode("https") and http-auth-type("clientcert"), and is available in syslog-ng OSE version
Certificate authentication:
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("clientcert") java-keystore-filepath("<path-to-your-java-keystore>.jks") java-keystore-password("password-to-your-keystore") ); };
Verify the certificate of the Elasticsearch server and perform certificate authentication (this is actually a mutual, certificate-based authentication between the syslog-ng OSE client and the Elasticsearch server):
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("clientcert") java-keystore-filepath("&lt;path-to-your-java-keystore&gt;.jks") java-keystore-password("password-to-your-keystore") java-truststore-filepath("&lt;path-to-your-java-keystore&gt;.jks") java-truststore-password("password-to-your-keystore") ); };
Type: | string |
Default: | N/A |
Description: The password of the Java keystore file set in the java-keystore-filepath option.
To import a certificate into a Java keystore, use the appropriate tool of your Java implementation. For example, on Oracle Java, you can use the keytool utility:
keytool -import -alias ca -file <certificate-to-import> -keystore <keystore-to-import> -storepass <password-to-the-keystore>
This option is used only in HTTPS mode with basic authentication: client-mode("https") and http-auth-type("clientcert"), and is available in syslog-ng OSE version
Certificate authentication:
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("clientcert") java-keystore-filepath("<path-to-your-java-keystore>.jks") java-keystore-password("password-to-your-keystore") ); };
Verify the certificate of the Elasticsearch server and perform certificate authentication (this is actually a mutual, certificate-based authentication between the syslog-ng OSE client and the Elasticsearch server):
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("clientcert") java-keystore-filepath("&lt;path-to-your-java-keystore&gt;.jks") java-keystore-password("password-to-your-keystore") java-truststore-filepath("&lt;path-to-your-java-keystore&gt;.jks") java-truststore-password("password-to-your-keystore") ); };
Type: | string |
Default: | N/A |
Description: Path to the Java keystore file that stores the CA certificate that syslog-ng OSE uses to verify the certificate of the Elasticsearch server. You must also set the java-truststore-password option.
If you do not set the java-truststore-filepath option, syslog-ng OSE does accepts any certificate that the Elasticsearch server shows. In this case, the identity of the server is not verified, only the connection is encrypted.
To import a certificate into a Java keystore, use the appropriate tool of your Java implementation. For example, on Oracle Java, you can use the keytool utility:
keytool -import -alias ca -file <certificate-to-import> -keystore <keystore-to-import> -storepass <password-to-the-keystore>
This option is used only in HTTPS mode: client-mode("https"), and is available in syslog-ng OSE version
Verify the certificate of the Elasticsearch server without authentication:
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("none") java-truststore-filepath("<path-to-your-java-keystore>.jks") java-truststore-password("password-to-your-keystore") ); };
Verify the certificate of the Elasticsearch server and perform certificate authentication (this is actually a mutual, certificate-based authentication between the syslog-ng OSE client and the Elasticsearch server):
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("clientcert") java-keystore-filepath("&lt;path-to-your-java-keystore&gt;.jks") java-keystore-password("password-to-your-keystore") java-truststore-filepath("&lt;path-to-your-java-keystore&gt;.jks") java-truststore-password("password-to-your-keystore") ); };
Type: | string |
Default: | N/A |
Description: The password of the Java truststore file set in the java-truststore-filepath option.
To import a certificate into a Java keystore, use the appropriate tool of your Java implementation. For example, on Oracle Java, you can use the keytool utility:
keytool -import -alias ca -file <certificate-to-import> -keystore <keystore-to-import> -storepass <password-to-the-keystore>
This option is used only in HTTPS mode: client-mode("https"), and is available in syslog-ng OSE version
Verify the certificate of the Elasticsearch server without authentication:
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("none") java-truststore-filepath("<path-to-your-java-keystore>.jks") java-truststore-password("password-to-your-keystore") ); };
Verify the certificate of the Elasticsearch server and perform certificate authentication (this is actually a mutual, certificate-based authentication between the syslog-ng OSE client and the Elasticsearch server):
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("clientcert") java-keystore-filepath("&lt;path-to-your-java-keystore&gt;.jks") java-keystore-password("password-to-your-keystore") java-truststore-filepath("&lt;path-to-your-java-keystore&gt;.jks") java-truststore-password("password-to-your-keystore") ); };
Type: | list |
Default: | N/A |
Description: Specify the Java Virtual Machine (JVM) settings of your Java destination from the syslog-ng OSE configuration file.
For example:
jvm-options("-Xss1M -XX:+TraceClassLoading")
You can set this option only as a global option, by adding it to the options statement of the syslog-ng configuration file.
Type: | number |
Default: | Use global setting. |
Description: The number of messages that the output queue can store.
Accepted values: |
drop-message|drop-property|fallback-to-string| silently-drop-message|silently-drop-property|silently-fallback-to-string |
Default: | Use the global setting (which defaults to drop-message) |
Description: Controls what happens when type-casting fails and syslog-ng OSE cannot convert some data to the specified type. By default, syslog-ng OSE drops the entire message and logs the error. Currently the value-pairs() option uses the settings of on-error().
drop-message: Drop the entire message and log an error message to the internal() source. This is the default behavior of syslog-ng OSE.
drop-property: Omit the affected property (macro, template, or message-field) from the log message and log an error message to the internal() source.
fallback-to-string: Convert the property to string and log an error message to the internal() source.
silently-drop-message: Drop the entire message silently, without logging the error.
silently-drop-property: Omit the affected property (macro, template, or message-field) silently, without logging the error.
silently-fallback-to-string: Convert the property to string silently, without logging the error.
Type: | number |
Default: | 9300 |
Description: The port number of the Elasticsearch server. This option is used only in transport mode: client-mode("transport")
Type: | number (of attempts) |
Default: | 3 |
Description: The number of times syslog-ng OSE attempts to send a message to this destination. If syslog-ng OSE could not send a message, it will try again until the number of attempts reaches retries, then drops the message.
Type: | string |
Default: | N/A |
Description: The list of Elasticsearch resources to load, separated by semicolons. For example, resource("/home/user/elasticsearch/elasticsearch.yml;/home/user/elasticsearch/elasticsearch2.yml").
Type: | list of hostnames |
Default: | 127.0.0.1 |
Description: Specifies the hostname or IP address of the Elasticsearch server. When specifying an IP address, IPv4 (for example, 192.168.0.1) or IPv6 (for example, [::1]) can be used as well. When specifying multiple addresses, use space to separate the addresses, for example, server("127.0.0.1 remote-server-hostname1 remote-server-hostname2")
This option is used only in transport mode: client-mode("transport")
In version
For example:
destination d_elasticsearch { elasticsearch2( client-lib-dir("/usr/share/elasticsearch/lib/") index("syslog-${YEAR}.${MONTH}.${DAY}") type("syslog") time-zone("UTC") client-mode("http") server("node01 node02") port(9200) ); };
Type: | yes|no |
Default: | no |
Description: By default, when connecting to an Elasticsearch cluster, syslog-ng OSE checks the state of the cluster. If the primary shards of the cluster are not active, syslog-ng OSE will not send messages, but wait for them to become active. To disable this health check and send the messages to Elasticsearch anyway, use the skip-cluster-health-check(yes) option in your configuration.
Type: | template or template function |
Default: | $(format-json --scope rfc5424 --exclude DATE --key ISODATE @timestamp=${ISODATE}) |
Description: The message as sent to the Elasticsearch server. Typically, you will want to use the command-line notation of the format-json template function.
To add a @timestamp field to the message, for example, to use with Kibana, include the @timestamp=${ISODATE} expression in the template. For example: template($(format-json --scope rfc5424 --exclude DATE --key ISODATE @timestamp=${ISODATE}))
For details on formatting messages in JSON format, see format-json.
Type: | number |
Default: | 0 |
Description: Sets the maximum number of messages sent to the destination per second. Use this output-rate-limiting functionality only when using disk-buffer as well to avoid the risk of losing messages. Specifying 0 or a lower value sets the output limit to unlimited.
Type: | name of the timezone, or the timezone offset |
Default: | unspecified |
Description: Convert timestamps to the timezone specified by this option. If this option is not set, then the original timezone information in the message is used. Converting the timezone changes the values of all date-related macros derived from the timestamp, for example, HOUR. For the complete list of such macros, see Date-related macros.
The timezone can be specified by using the name, for example, time-zone("Europe/Budapest")), or as the timezone offset in +/-HH:MM format, for example, +01:00). On Linux and UNIX platforms, the valid timezone names are listed under the /usr/share/zoneinfo directory.
Version
Type: | rfc3164, bsd, rfc3339, iso |
Default: | rfc3164 |
Description: Override the global timestamp format (set in the global ts-format() parameter) for the specific destination. For details, see ts-format().
NOTE: This option applies only to file and file-like destinations. Destinations that use specific protocols (for example, network(), or syslog()) ignore this option. For protocol-like destinations, use a template locally in the destination, or use the proto-template option.
This section aims to give you some practical examples about how to make the most of your Elasticsearch-based logging using syslog-ng. Read the following blog posts to learn how to:
Parse data with syslog-ng, store in Elasticsearch, and analyze with Kibana
Get started on Red Hat Enterprise Linux / CentOS using Elasticsearch 6 and syslog-ng
Visualize your data using:
This example uses the GeoIP2 parser. For details about the GeoIP2 parser, see Looking up GeoIP2 data from IP addresses.
Version
HTTPS connection, as well as password- and certificate-based authentication is supported. The content of the events is sent in JSON format.
d_elasticsearch_http { elasticsearch-http( index("<elasticsearch-index-to-store-messages>") url("https://your-elasticsearch-server1:9200/_bulk" "https://your-elasticsearch-server2:9200/_bulk") type("<type-of-the-index>") ); };
Use an empty string to omit the type from the index: type(""). For example, you need to do that when using Elasticsearch 7 or newer, and you use a mapping in Elasticsearch to modify the type of the data.
You can use the proxy() option to configure the HTTP driver in all HTTP-based destinations to use a specific HTTP proxy that is independent from the proxy configured for the system.
Alternatively, you can leave the HTTP as-is, in which case the driver leaves the default http_proxy and https_proxy environment variables unmodified.
For more detailed information about these environment variables, see the libcurl documentation.
NOTE: Configuring the proxy() option overwrites the default http_proxy and https_proxy environment variables.
The following example defines a elasticsearch-http() destination, with only the required options.
destination d_elasticsearch_http { elasticsearch-http( index("<name-of-the-index>") type("<type-of-the-index>") url("http://my-elastic-server:9200/_bulk") ); }; log { source(s_file); destination(d_elasticsearch_http); flags(flow-control); };
The following example uses mutually-authenticated HTTPS connection, templated index, and also sets the type() and some other options.
destination d_elasticsearch_https { elasticsearch-http( url("https://node01.example.com:9200/_bulk") index("test-${YEAR}${MONTH}${DAY}") time-zone("UTC") type("test") workers(4) batch-lines(16) timeout(10) tls( ca-file("ca.pem") cert-file("syslog_ng.crt.pem") key-file("syslog_ng.key.pem") peer-verify(yes) ) ); };
This driver is actually a reusable configuration snippet configured to send log messages using the tcp() driver using a template. For details on using or writing such configuration snippets, see Reusing configuration blocks. You can find the source of this configuration snippet on GitHub.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center