Could somebody here post this configuration example to
http://wiki.rsyslog.com/index.php/Configuration_Samples
It will take structured logs from journald and send them to elasticsearch
in their structured format. As an added bonus it will also parse out any
json formatted logs (Example: nodejs Bunyan.)
Caveat: Journal msgs containing characters that break json will fail to
import to elasticsearch.
-----------------
#Import modules for input from journald and output to elasticsearch
module(load="imjournal")
module(load="omelasticsearch")
# If the message contains json, parse it.
module(load="mmjsonparse")
action(type="mmjsonparse" cookie="")
#Set the timestamp
template(name="timegeneratedrfc3339" type="string"
string="%timegenerated:::date-rfc3339%")
set $!@timestamp = exec_template("timegeneratedrfc3339");
# Take all of the json generated from the journald, timestamp and
mmjsonparse and put it into a template
template(name="json-to-elk" type="string" string="%$!all-json-plain%" )
#Set the elasticsearch index
$template index,"rsyslog-%timereported:1:10:date-rfc3339%"
#Set the elasticsearch _type, use the app-name.
$template type,"%app-name%"
#Send all logs to elasticsearch
*.* action(type="omelasticsearch"
template="json-to-elk"
server="192.168.200.1"
dynSearchIndex="on"
searchIndex="index"
searchType="type"
dynSearchType="on")
-----------------
--
Theodore Cowan
https://github.com/deuscapturus
https://www.linkedin.com/in/theodore-cowan-01774a3
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
