How AxoSyslog interacts with Elasticsearch

The AxoSyslog application sends the log messages to the official Elasticsearch client library, which forwards the data to the Elasticsearch nodes. The way AxoSyslog interacts with Elasticsearch is described in the following steps.

• After AxoSyslog is started and the first message arrives to the elasticsearch2 destination, the elasticsearch2 destination tries to connect to the Elasticsearch server or cluster. If the connection fails, AxoSyslog will repeatedly attempt to connect again after the period set in time-reopen() expires.

• If the connection is established, AxoSyslog sends JSON-formatted messages to Elasticsearch.

  • If flush-limit is set to 1: AxoSyslog sends the message reliably: it sends a message to Elasticsearch, then waits for a reply from Elasticsearch. In case of failure, AxoSyslog repeats sending the message, as set in the retries() parameter. If sending the message fails for retries() times, AxoSyslog drops the message.

    This method ensures reliable message transfer, but is slow (about 1000 messages/second).

  • If flush-limit is higher than 1: AxoSyslog sends messages in a batch, and receives the response asynchronously. In case of a problem, AxoSyslog cannot resend the messages.

    This method is relatively fast (depending on the size of flush-limit, about 8000 messages/second), but the transfer is not reliable. In transport mode, over 5000-30000 messages can be lost before AxoSyslog recognizes the error. In node mode, about 1000 messages can be lost.

  • If concurrent-requests is higher than 1, AxoSyslog can send multiple batches simultaneously, increasing performance (and also the number of messages that can be lost in case of an error).

• Version 3.10 and newer of AxoSyslog automatically converts the timestamp (date) of the message to UTC, as needed by Elasticsearch and Kibana.