This blog is just a quick announcement that syslog-ng 4.8.1 is now available in EPEL 10, so you do not have to use the testing repository anymore. Thanks everyone for the feedback!
However, support for Elasticsearch 7+ is broken in this release, as some of you reported. You can fix this problem as described in https://github.com/syslog-ng/syslog-ng/issues/5207 by removing references to “type”. Note that this fix removes compatibility with Elasticsearch 6.x, but if you are installing a beta RHEL release or compatible operating system, then you most likely do not use an Elasticsearch version anyway that has long reached its end-of-life… :-)
That said, if you still use Elasticsearch 6.x, then everything should keep working as is. For version 7.x or later, here is the quick fix. Normally, you should not edit files under /usr/share/syslog-ng/include/scl/ yourself. However, in this case, the problem can be fixed by editing /usr/share/syslog-ng/include/scl/elasticsearch/elastic-http.conf and removing references to “type” from two places.
The first is from the block, where we define it with an empty string parameter:
  type("")
The second location is from the body() template:
index._type=`type`
This solves the immediate Elasticsearch problem, but a proper fix will be part of the 4.8.2 release. There, the “real” solution will be fixing the --omit-empty-values parameter of the format-json() template function.
-
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.
 
				 
		