syslog-ng 2 elasticsearch

syslog-ng

# This file is managed by Puppet. DO NOT EDIT.
# This file was generated by Puppet's ihrwein-syslog_ng module
@version: 3.8
@module mod-java
@include "scl.conf"
options {
    chain_hostnames(yes);
    keep_hostname(no);
    log_fifo_size(1000);
    normalize_hostnames(yes);
    time_reopen(10);
    ts-format(iso);
    use_dns(no);
};
parser p_audit {
    linux-audit-parser(

    );
};
filter f_audit {
    message(
        "msg=audit"
    );
};
source s_local {
    systemd-journal(
        prefix(
            .SDATA.journald.
        )
    );
};
source s_remote {
    syslog(
        transport(
            tcp
        )
    );
};
destination d_all {
    file(
        /var/log/all.log
    );
};
destination d_audit {
    file(
        "/var/log/remote/${HOST}/${YEAR}/${MONTH}/${DAY}/audit.log",
        create-dirs(
            yes
        )
    );
};
destination d_elastic {
    elasticsearch2(
        client_mode(
            "http"
        ),
        cluster_url(
            "http://10.20.20.13:9200"
        ),
        index(
            "syslog-ng_${YEAR}.${MONTH}.${DAY}"
        ),
        type(
            "syslog"
        ),
        cluster(
            "elasticsearch"
        ),
        flush_limit(
            "0"
        ),
        template(
            "$(format-json --scope rfc5424 --scope nv-pairs --exclude DATE --key ISODATE)"
        )
    );
};
destination d_logs {
    file(
        "/var/log/remote/${HOST}/${YEAR}/${MONTH}/${DAY}/$FACILITY.log",
        create-dirs(
            yes
        )
    );
};
log {
    source(s_remote);
    filter(f_audit);
    parser(p_audit);
    destination(d_audit);
    destination(d_elastic);
    flags(final flow-control);
};
log {
    source(s_local);
    destination(d_all);
    destination(d_elastic);
    flags(flow-control);
};
log {
    source(s_remote);
    destination(d_logs);
    destination(d_elastic);
    flags(flow-control);
};