You may well be able to insert the rejected log into a different index.
Most of our failed logs are down to a mismatch between the mapping config
and the fields in json logs.

An error index that treats the whole message as a single blob should work
fine.

On Fri, 2 Dec 2016, 08:35 [email protected], <[email protected]> wrote:

> El 01/12/16 a las 23:08, David Lang escribió:
> > On Thu, 1 Dec 2016, [email protected] wrote:
> >
> > I think that you are going to end up with some grief, if the message
> > could not be insterted into ES for some reason, I think the odds are
> > good that you will find that rawmsg can't be inserted either.
> After sending the email I though the same...
>
> > I would keep the errorfile as a file and look at it periodially. I
> > expect that when you first start things up, you will run into a number
> > of errors, but once you work your way though them, the error rate will
> > be low.
> >
> > Set your monitoring system to monitor the size of the errorfile, and
> > it it starts growing significantly, generate an alert.
> Would love to have a more unattended/XXth century way, if anyone knows.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to