# elasticsearch2: DEPRECATED - Send messages directly to Elasticsearch version 2.0 or higher Warning This destination is deprecated and will be removed from a future version of AxoSyslog. We recommend using the [elasticsearch-http: Send messages to Elasticsearch HTTP Bulk API](../../docs/axosyslog-core/chapter-destinations/configuring-destinations-elasticsearch-http/index.md) destination instead. Starting with version 3.7 of AxoSyslog can directly send log messages to [Elasticsearch](), allowing you to search and analyze your data in real time, and visualize it with [Kibana](). Note the following limitations when using the AxoSyslog `elasticsearch2` destination: * Since AxoSyslog uses Java libraries, the `elasticsearch2` destination has significant memory usage. ## Declaration: ``` @include "scl.conf" elasticsearch2( index("syslog-ng_${YEAR}.${MONTH}.${DAY}") type("test") cluster("syslog-ng") ); ``` ## Example: Sending log data to Elasticsearch version 2.x and above The following example defines an `elasticsearch2` destination that sends messages in transport mode to an Elasticsearch server running on the localhost, using only the required parameters. ``` @include "scl.conf" destination d_elastic { elasticsearch2( index("syslog-ng_${YEAR}.${MONTH}.${DAY}") type("test") ); }; ``` The following example sends 10000 messages in a batch, in transport mode, and includes a custom unique ID for each message. ``` @include "scl.conf" options { threaded(yes); use-uniqid(yes); }; source s_syslog { syslog(); }; destination d_elastic { elasticsearch2( index("syslog-ng_${YEAR}.${MONTH}.${DAY}") type("test") cluster("syslog-ng") client-mode("transport") custom-id("${UNIQID}") flush-limit("10000") ); }; log { source(s_syslog); destination(d_elastic); flags(flow-control); }; ``` ## Example: Sending log data to Elasticsearch using the HTTP REST API The following example send messages to Elasticsearch over HTTP using its REST API: ``` @include "scl.conf" source s_network { network(port(5555)); }; destination d_elastic { elasticsearch2( client-mode("http") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") ); }; log { source(s_network); destination(d_elastic); flags(flow-control); }; ``` Verify the certificate of the Elasticsearch server and perform certificate authentication (this is actually a mutual, certificate-based authentication between the AxoSyslog client and the Elasticsearch server): ``` destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("clientcert") java-keystore-filepath("<path-to-your-java-keystore>.jks") java-keystore-password("password-to-your-keystore") java-truststore-filepath("<path-to-your-java-keystore>.jks") java-truststore-password("password-to-your-keystore") ); }; ``` * To install the software required for the `elasticsearch2` destination, see [Prerequisites](../../docs/axosyslog-core/chapter-destinations/configuring-destinations-elasticsearch2/destination-elasticsearch2-prerequisites/index.md). * For details on how the `elasticsearch2` destination works, see [How AxoSyslog interacts with Elasticsearch](../../docs/axosyslog-core/chapter-destinations/configuring-destinations-elasticsearch2/destination-elasticsearch2-interaction/index.md). * For the list of options, see [Elasticsearch2 destination options (DEPRECATED)](../../docs/axosyslog-core/chapter-destinations/configuring-destinations-elasticsearch2/reference-destination-elasticsearch2/index.md). The `elasticsearch2()` driver is actually a reusable configuration snippet configured to receive log messages using the Java language-binding of AxoSyslog. For details on using or writing such configuration snippets, see [Reusing configuration blocks](../../docs/axosyslog-core/chapter-configuration-file/large-configs/config-blocks/index.md). You can find the source of the elasticsearch configuration snippet on [GitHub](). Note If you delete all Java destinations from your configuration and reload `syslog-ng`, the JVM is not used anymore, but it is still running. If you want to stop JVM, stop `syslog-ng` and then start `syslog-ng` again. * * * [Prerequisites](../../docs/axosyslog-core/chapter-destinations/configuring-destinations-elasticsearch2/destination-elasticsearch2-prerequisites/index.md) [How AxoSyslog interacts with Elasticsearch](../../docs/axosyslog-core/chapter-destinations/configuring-destinations-elasticsearch2/destination-elasticsearch2-interaction/index.md) [Client modes](../../docs/axosyslog-core/chapter-destinations/configuring-destinations-elasticsearch2/destination-elasticsearch2-client-modes/index.md) [Search Guard](../../docs/axosyslog-core/chapter-destinations/configuring-destinations-elasticsearch2/syslog-ng-elasticsearch2-search-guard/index.md) [Elasticsearch2 destination options (DEPRECATED)](../../docs/axosyslog-core/chapter-destinations/configuring-destinations-elasticsearch2/reference-destination-elasticsearch2/index.md) Last modified November 20, 2024: [Broken link updates (5644de9a)]()