How AxoSyslog interacts with Elasticsearch
The AxoSyslog application sends the log messages to the official Elasticsearch client library, which forwards the data to the Elasticsearch nodes. The way AxoSyslog interacts with Elasticsearch is described in the following steps.
-
After AxoSyslog is started and the first message arrives to the
elasticsearch2
destination, theelasticsearch2
destination tries to connect to the Elasticsearch server or cluster. If the connection fails, AxoSyslog will repeatedly attempt to connect again after the period set intime-reopen()
expires. -
If the connection is established, AxoSyslog sends JSON-formatted messages to Elasticsearch.
-
If
flush-limit
is set to 1: AxoSyslog sends the message reliably: it sends a message to Elasticsearch, then waits for a reply from Elasticsearch. In case of failure, AxoSyslog repeats sending the message, as set in theretries()
parameter. If sending the message fails forretries()
times, AxoSyslog drops the message.This method ensures reliable message transfer, but is slow (about 1000 messages/second).
-
If
flush-limit
is higher than 1: AxoSyslog sends messages in a batch, and receives the response asynchronously. In case of a problem, AxoSyslog cannot resend the messages.This method is relatively fast (depending on the size of
flush-limit
, about 8000 messages/second), but the transfer is not reliable. In transport mode, over 5000-30000 messages can be lost before AxoSyslog recognizes the error. In node mode, about 1000 messages can be lost. -
If
concurrent-requests
is higher than 1, AxoSyslog can send multiple batches simultaneously, increasing performance (and also the number of messages that can be lost in case of an error).
-
-
Version 3.10 and newer of AxoSyslog automatically converts the timestamp (date) of the message to UTC, as needed by Elasticsearch and Kibana.