On Wed, 23 Nov 2016, Rainer Gerhards wrote:
wiki.rsyslog.com
But I think it has not been updated for a while. You may need an account,
if so, let me know.
I am not sure if the wiki is the best place to do it. We think about
retiring it for a while, it was mainly a spam dump...
While I haven't tried it, a GitHub wiki might be better, especially from a
visibility pov. I could enable it if there are no objections. I don't know
though how granular the GitHub premissons are.
anything that's on the old rsyslog wiki is rather out of date at this point. I
think turning on the github wiki and trying it would be a good move.
David Lang
Rainer
Sent from phone, thus brief.
Am 23.11.2016 16:05 schrieb "mosto...@gmail.com" <mosto...@gmail.com>:
Of course it will help.
Let me take the risk: is there a rsyslog wiki where I could start
documenting what ERK should look like? :P
markdown is mandatory.
El 23/11/16 a las 15:57, Rainer Gerhards escribió:
Would the capability to add metadata in imfile input help? That would be
easy to add. If not, what would give you the Mets data?
Rainer
Sent from phone, thus brief.
Am 23.11.2016 15:51 schrieb "mosto...@gmail.com" <mosto...@gmail.com>:
there are probably ways to simplify the configs, 5K lines of configs seems
excessive :-) how much of this is rulebase config vs rsyslog config?
Each app generates app-access.log, app-tomcat.log, app-application.log
files. imfile allow me to add filename as metadata, but nothing more.
As each application belongs to a workgroup, part of an organizational
unit
and is running on some (multiple) hosts, at the end I have approximately
this for each app:
template(name="json_appX" type="list") {
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" {")
constant(value="\"group\":\"group\","\"unit\":\"unit\",\"app
\":\"appX\",")
constant(value="\",\"file\":\"")
property(name="$!metadata!filename")
constant(value="\",\"msg\":\"")
property(name="msg" format="jsonr")
constant(value="\"}")
}
ruleset(name="json_appX") {
action(
template="json_appX"
type="omrelp"
target="server"
port="20514"
action.resumeRetryCount="-1"
action.reportSuspension="on"
queue.maxdiskspace="5M"
queue.type="LinkedList"
queue.filename="appX.qi"
queue.SaveOnShutdown="on"
)
}
input(type="imfile" file="/logs/appX/access.log" tag="group/appX"
addMetadata="on" ruleset="json_appX" PersistStateInterval="1")
input(type="imfile" file="/logs/appX/tomcat.log" tag="group/appX"
addMetadata="on" ruleset="json_appX" PersistStateInterval="1")
input(type="imfile" file="/logs/appX/application.log" tag="group/appX"
addMetadata="on" ruleset="json_appX" PersistStateInterval="1")
which becomes 5K lines of config file.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
