Here you go. This is what we have so far.
global(
MaxMessageSize="32k"
workDirectory="/data"
parser.escapeControlCharactersOnReceive="off"
)
module(load="imrelp")
input(
port="20514"
type="imrelp"
name="imrelp"
ruleset="json"
)
module(load="builtin:omfile")
ruleset(name="error"){
action(
type="omfile"
file="/data/rsyslog-errors.log"
)
}
ruleset(name="unknown"){
action(
type="omfile"
file="/data/rsyslog-unknown.log"
)
}
template(name="ts" type="string" string="%timestamp:::date-rfc3339%")
ruleset(name="to-index"){
set $!data=$msg;
set $!data!host_forwarded=$hostname;
set $!data!time_processed=exec_template("ts");
#FIXME This line fails. isn't myhostname set?
#set $!data!host_received=$myhostname;
action(
action.reportSuspension="on"
action.resumeRetryCount="-1"
type="omfile"
file="/data/to-index.log"
template="json"
)
}
module(load="mmjsonparse")
module(load="mmnormalize")
ruleset(name="json"){
#FIXME seems ruleset workers need a queue or they create a temp
queue (performance impact)
# considering this pipeline: relp->file->elastic, what should
be the best approach?
queue.filename="relp.qi"
queue.maxdiskspace="1G"
queue.SaveOnShutdown="on"
queue.type="Disk"
action(
cookie=""
type="mmjsonparse"
)
if $parsesuccess == "FAIL" then {
call error
stop
}
# start script combines /etc/rsyslog.d/apps/*.rb into
/etc/rsyslog.rb
# rule=app1:app1 whatever1
# rule=app2:app2 whatever2
# Due to how liblognorm works, seems to be much faster than
# each app.conf file like:
# else if $!app == "popimap" then {
# # Here's an example on when to use inline rules
# # https://github.com/rsyslog/rsyslog/issues/625
# # Inline rules would make it possible to have
# # just 1 config file per app, instead of 2
# action(
# #rule="<%pri%>%time_received:date% %hostname%
%tag% %msg%"
# rulebase="/etc/rsyslog.d/apps/app1.rb"
# type="mmnormalize"
# )
# if $!user != "" then {
# #FIXME now also fails (not set?)
# set $!data!index="myindex-" & $now;
# set
$!data!type="this_msg_type_is_known_by_this_app";
# call to-index
# } else {
# call error
# }
# }
#TODO set $.line= app & " " & msg;?
action(
type="mmnormalize"
variable="$!msg"
rulebase="/etc/rsyslog.d/rsyslog.rb"
)
if $!user == "" then {
call unknown
stop
}
# Each app.conf defines/calls their own pipeline steps
# at the end: call to-index
$IncludeConfig /etc/rsyslog.d/apps/*.conf
}
module(load="imfile")
input(type="imfile"
file="/data/to-index.log"
tag="rsyslog"
ruleset="elastic"
)
template(name="json" type="string" string="%$!data%\n")
template(name="index" type="string" string="$!data!index")
template(name="type" type="string" string="$!data!type")
module(load="omelasticsearch")
ruleset(name="elastic"){
set $!data=$rawmsg;
set $!data!@timestamp=exec_template("ts");
action(
action.resumeRetryCount="-1"
type="omelasticsearch"
server="server"
serverport="9200"
searchIndex="index"
dynSearchIndex="on"
searchType="type"
dynSearchType="on"
template="json"
)
}
Regards
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
