Here you go. This is what we have so far. global( MaxMessageSize="32k" workDirectory="/data" parser.escapeControlCharactersOnReceive="off" )
module(load="imrelp") input( port="20514" type="imrelp" name="imrelp" ruleset="json" ) module(load="builtin:omfile") ruleset(name="error"){ action( type="omfile" file="/data/rsyslog-errors.log" ) } ruleset(name="unknown"){ action( type="omfile" file="/data/rsyslog-unknown.log" ) } template(name="ts" type="string" string="%timestamp:::date-rfc3339%") ruleset(name="to-index"){ set $!data=$msg; set $!data!host_forwarded=$hostname; set $!data!time_processed=exec_template("ts"); #FIXME This line fails. isn't myhostname set? #set $!data!host_received=$myhostname; action( action.reportSuspension="on" action.resumeRetryCount="-1" type="omfile" file="/data/to-index.log" template="json" ) } module(load="mmjsonparse") module(load="mmnormalize") ruleset(name="json"){ #FIXME seems ruleset workers need a queue or they create a temp queue (performance impact) # considering this pipeline: relp->file->elastic, what should be the best approach? queue.filename="relp.qi" queue.maxdiskspace="1G" queue.SaveOnShutdown="on" queue.type="Disk" action( cookie="" type="mmjsonparse" ) if $parsesuccess == "FAIL" then { call error stop } # start script combines /etc/rsyslog.d/apps/*.rb into /etc/rsyslog.rb # rule=app1:app1 whatever1 # rule=app2:app2 whatever2 # Due to how liblognorm works, seems to be much faster than # each app.conf file like: # else if $!app == "popimap" then { # # Here's an example on when to use inline rules # # https://github.com/rsyslog/rsyslog/issues/625 # # Inline rules would make it possible to have # # just 1 config file per app, instead of 2 # action( # #rule="<%pri%>%time_received:date% %hostname% %tag% %msg%" # rulebase="/etc/rsyslog.d/apps/app1.rb" # type="mmnormalize" # ) # if $!user != "" then { # #FIXME now also fails (not set?) # set $!data!index="myindex-" & $now; # set $!data!type="this_msg_type_is_known_by_this_app"; # call to-index # } else { # call error # } # } #TODO set $.line= app & " " & msg;? action( type="mmnormalize" variable="$!msg" rulebase="/etc/rsyslog.d/rsyslog.rb" ) if $!user == "" then { call unknown stop } # Each app.conf defines/calls their own pipeline steps # at the end: call to-index $IncludeConfig /etc/rsyslog.d/apps/*.conf } module(load="imfile") input(type="imfile" file="/data/to-index.log" tag="rsyslog" ruleset="elastic" ) template(name="json" type="string" string="%$!data%\n") template(name="index" type="string" string="$!data!index") template(name="type" type="string" string="$!data!type") module(load="omelasticsearch") ruleset(name="elastic"){ set $!data=$rawmsg; set $!data!@timestamp=exec_template("ts"); action( action.resumeRetryCount="-1" type="omelasticsearch" server="server" serverport="9200" searchIndex="index" dynSearchIndex="on" searchType="type" dynSearchType="on" template="json" ) } Regards _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.