You may well be able to insert the rejected log into a different index. Most of our failed logs are down to a mismatch between the mapping config and the fields in json logs.
An error index that treats the whole message as a single blob should work fine. On Fri, 2 Dec 2016, 08:35 [email protected], <[email protected]> wrote: > El 01/12/16 a las 23:08, David Lang escribió: > > On Thu, 1 Dec 2016, [email protected] wrote: > > > > I think that you are going to end up with some grief, if the message > > could not be insterted into ES for some reason, I think the odds are > > good that you will find that rawmsg can't be inserted either. > After sending the email I though the same... > > > I would keep the errorfile as a file and look at it periodially. I > > expect that when you first start things up, you will run into a number > > of errors, but once you work your way though them, the error rate will > > be low. > > > > Set your monitoring system to monitor the size of the errorfile, and > > it it starts growing significantly, generate an alert. > Would love to have a more unattended/XXth century way, if anyone knows. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

