Hello everybody
I'm Tan and I come from Vietnam.
You know, I would like to sent data from Syslog-ng to Elasticsearch with around 1 thousand message lines, but in ES side, I just see 515 docs. It means ES just received and processed haft past of the number messages that sent from Syslog-ng.
I changed configuration and did sometimes and one of the case, I just saw the number of docs equal 10% the number of message come.
I have 5 ES node and 2 of them are data node with the configuration: 4GB RAM, 4 cores and data folder mount from NAS device.
Of course, I also checked the bandwidth, hdd, ram and cpu. They worked well and just used around 50% their capacity.
I would like everyone give me some your experiences about that.
Does has any parameters that I have to config for tuning my system?
Turning my system makes me spending alot of time. 
Thank you very much!