7.3.3. Client modes

The syslog-ng OSE application can interact with Elasticsearch in the following modes of operation: http, https, node, searchguard, shield, and transport.

  • HTTP mode. The syslog-ng OSE application sends messages over HTTP using the REST API of Elasticsearch, and uses the cluster_url() and cluster() options from the syslog-ng OSE configuration file. In HTTP mode, syslog-ng OSE elasticsearch2 driver can send log messages to every Elasticsearch version, including 1.x-5.x. Note that HTTP mode is available in syslog-ng OSE version 3.8 and newer.

    In version 3.10 and newer, you can list multiple servers in HTTP and HTTPS mode in the cluster_url() and server() options. The syslog-ng OSE application will use these destination servers in load-balancing fashion. Note that load-balancing is handled by an external library (Jest), syslog-ng OSE does not have any direct influence on it.

  • HTTPS mode. The syslog-ng OSE application sends messages over an encrypted and optionally authenticated HTTPS channel using the REST API of Elasticsearch, and uses the cluster_url() and cluster() options from the syslog-ng OSE configuration file. In HTTPS mode, syslog-ng OSE elasticsearch2 driver can send log messages to every Elasticsearch version, including 1.x-5.x. Note that HTTPS mode is available in syslog-ng OSE version 3.10 and newer.

    This mode supports password-based and certificate-based authentication of the client, and can verify the certificate of the server as well.

    In version 3.10 and newer, you can list multiple servers in HTTP and HTTPS mode in the cluster_url() and server() options. The syslog-ng OSE application will use these destination servers in load-balancing fashion. Note that load-balancing is handled by an external library (Jest), syslog-ng OSE does not have any direct influence on it.

  • Transport mode. The syslog-ng OSE application uses the transport client API of Elasticsearch, and uses the server(), port(), and cluster() options from the syslog-ng OSE configuration file.

  • Node mode. The syslog-ng OSE application acts as an Elasticsearch node (client no-data), using the node client API of Elasticsearch. Further options for the node can be describe in an Elasticsearch configuration file specified in the resource() option.

    Note

    In Node mode, it is required to define the home of the elasticsearch installation with the path.home parameter in the .yml file. For example: path.home: /usr/share/elasticsearch.

  • Shield mode. Use Elasticsearch X-Pack security (Shield) to encrypt and authenticate your connections to from syslog-ng OSE to Elasticsearch 2 and newer. For details on configuring Shield mode, see Procedure 7.3.4, Elasticsearch X-Pack (Shield) and syslog-ng OSE.

  • Search Guard mode. Use the Search Guard Elasticsearch plugin to encrypt and authenticate your connections to from syslog-ng OSE to Elasticsearch 2 and newer. For details on configuring Search Guard mode, see Procedure 7.3.5, Search Guard and syslog-ng OSE.