Hi,
Does this configuration look ok begore I let this configuration rip in
production?
A server running rsyslog 8.7.4 on Solaris 11 that receives TCP and UDP messages
from a mixture of syslog and rsyslog clients .
Each client has a %HOST.log created on the server file system.
The rsyslog server forwards all those incoming messages into an ElasticSearch
via a JSON template server listening on a remote server on port 10514.
The configuration I wrote successfully receives the UDP and TCP messages on the
server.
Can anybody see any configuration there that could cause undue processing, or
errors. So far the testing has gone well.
I've posted the configuration below.
Many thanks, Sophie
---------------------------------------------
The newsyslog server is called syslog-new. The old one is called syslog-old.
b777 and b888 are the ElasticSearch servers. ( Not their real names ).
CONFIGURATION:
$ModLoad imsolaris # for Solaris kernel logging
$ModLoad imtcp
$ModLoad imudp
$InputTCPMaxSessions 600
$InputTCPMaxListeners 60
$WorkDirectory /var/spool/rsyslog/work
$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format
$template DynaFile,"/var/spool/rsyslog/%HOSTNAME%.log"
template(name="json-template0"
type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported"
dateFormat="rfc3339")
constant(value="\",\"@version\":\"1")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\",\"sysloghost\":\"") property(name="hostname")
constant(value="\",\"severity\":\"")
property(name="syslogseverity-text")
constant(value="\",\"facility\":\"")
property(name="syslogfacility-text")
constant(value="\",\"programname\":\"") property(name="programname")
constant(value="\",\"procid\":\"") property(name="procid")
constant(value="\"}\n")
}
$template json-template2,
"{\"message\":\"%msg:::json%\",\"fromhost\":\"%HOSTNAME:::json%\",\"facility\":\"%syslogfacility-text%\",\"priority\":\"%syslogpriority-text%\",\"timereported\":\"%timereported:::date-rfc3339%\",\"timegenerated\":\"%timegenerated:::date-rfc3339%\"}"
$FileOwner root
$FileGroup sys
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0022
$RuleSet Local
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
authpriv.* /var/adm/authpriv.log
*.emerg :omusrmsg:*
*.alert :omusrmsg:root
& stop
$RuleSet Remote
*.* ?DynaFile
*.info @syslog-old
*.info @@b777:10514;json-template2
*.info @@b888:10514;json-template2
& stop
$DefaultRuleset Remote
$InputTCPServerBindRuleset Remote
$InputTCPServerRun 514
$InputUDPServerBindRuleset Remote
$UDPServerRun 514
This message and any attachments (the "message") is
intended solely for the intended addressees and is confidential.
If you receive this message in error,or are not the intended recipient(s),
please delete it and any copies from your systems and immediately notify
the sender. Any unauthorized view, use that does not comply with its purpose,
dissemination or disclosure, either whole or partial, is prohibited. Since the
internet
cannot guarantee the integrity of this message which may not be reliable, BNP
PARIBAS
(and its subsidiaries) shall not be liable for the message if modified, changed
or falsified.
Do not print this message unless it is necessary, consider the environment.
----------------------------------------------------------------------------------------------------------------------------------
Ce message et toutes les pieces jointes (ci-apres le "message")
sont etablis a l'intention exclusive de ses destinataires et sont confidentiels.
Si vous recevez ce message par erreur ou s'il ne vous est pas destine,
merci de le detruire ainsi que toute copie de votre systeme et d'en avertir
immediatement l'expediteur. Toute lecture non autorisee, toute utilisation de
ce message qui n'est pas conforme a sa destination, toute diffusion ou toute
publication, totale ou partielle, est interdite. L'Internet ne permettant pas
d'assurer
l'integrite de ce message electronique susceptible d'alteration, BNP Paribas
(et ses filiales) decline(nt) toute responsabilite au titre de ce message dans
l'hypothese
ou il aurait ete modifie, deforme ou falsifie.
N'imprimez ce message que si necessaire, pensez a l'environnement.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
