My bad, UDP not TCP. action(type="omfwd" target="el8" port="10514" protocol="udp" ...)
On Mon, Nov 12, 2018 at 3:54 PM Flo Rance <[email protected]> wrote: > Hi, > > Most probably not. The syntax for the omfwd module is different. > > action(type="omfwd" target="el8" port="10514" protocol="tcp" ...) > > https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html > > Flo > > On Mon, Nov 12, 2018 at 3:39 PM [email protected] < > [email protected]> wrote: > >> Flo wrote:> But I might be wrong... >> You are right. I had thought that the elasticsearch type just sent >> messages in a specific format. >> >> Rainer wrote:> where did you place this? It's not in the config you >> posted. And, no,omelastisearch does not UDP (neither does Elasticsearch >> AFIK). >> The logstash is listening on UDP, and it's just waiting for some json >> formatted syslog messages. This is then fed in to ESearch. >> >> I have replaced the type() with omfwd, which I think is more >> appropriate. My template (not included below) is a json template that >> logstash expects. I've included this below. Should the files in the >> queues directory decrease? >> >> *.info { action (type="omfwd" >> server="el8" >> serverport="10514" >> protocol="udp" >> searchIndex="unix" >> bulkmode="on" >> template="ElasticSearchTemplate" >> name="el8-514-out" >> queue.spoolDirectory="/soft/rsyslog/queues" >> queue.size="1024000" >> queue.filename="el8-10514.queue" >> queue.maxdiskspace="512m" >> queue.type="FixedArray" >> queue.maxfilesize="20m" >> queue.saveonshutdown="on" >> queue.discardseverity="6" >> Action.ResumeInterval="1" >> Action.ResumeRetryCount="-1" >> ) >> } >> >> Contents of queues directory: >> total 179M >> -rw------- 1 rsyslog rsyslog 21M Nov 8 10:24 el7-10514.queue.00000001 >> -rw------- 1 rsyslog rsyslog 21M Nov 12 10:50 el7-10514.queue.00000002 >> -rw------- 1 rsyslog rsyslog 21M Nov 12 10:50 el7-10514.queue.00000003 >> -rw------- 1 rsyslog rsyslog 21M Nov 12 15:10 el7-10514.queue.00000004 >> -rw------- 1 rsyslog rsyslog 9.3M Nov 12 15:20 el7-10514.queue.00000005 >> -rw------- 1 rsyslog rsyslog 579 Nov 12 15:20 el7-10514.queue.qi >> -rw------- 1 rsyslog rsyslog 21M Nov 8 10:24 el8-10514.queue.00000001 >> -rw------- 1 rsyslog rsyslog 21M Nov 12 10:50 el8-10514.queue.00000002 >> -rw------- 1 rsyslog rsyslog 21M Nov 12 10:50 el8-10514.queue.00000003 >> -rw------- 1 rsyslog rsyslog 21M Nov 12 15:10 el8-10514.queue.00000004 >> -rw------- 1 rsyslog rsyslog 9.3M Nov 12 15:20 el8-10514.queue.00000005 >> -rw------- 1 rsyslog rsyslog 579 Nov 12 15:20 el8-10514.queue.qi >> >> >> >> From: Flo Rance [mailto:[email protected]] >> Sent: Monday, November 12, 2018 3:19 PM >> To: rsyslog-users >> Cc: LOEWENTHAL Sophie >> Subject: Re: [rsyslog] Ruleset : send to server over UDP instead of TCP >> >> Hi, >> >> It seems that the primary purpose of omelasticsearch is to send logs to >> elesticsearch rest, running on http or https, thus using tcp. It's not >> intended to use udp. >> >> >> https://www.rsyslog.com/doc/v8-stable/configuration/modules/omelasticsearch.html >> >> But I might be wrong... >> >> Flo >> >> On Mon, Nov 12, 2018 at 3:12 PM sophie.loewenthal--- via rsyslog < >> [email protected]> wrote: >> >> I thought this could work, but nope: >> >> protocol="tcp" / protocol="udp" >> >> >> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line >> 70: parameter 'protocol' not known -- typo in config file? [v8.24.0 try >> http://www.rsyslog.com/e/2207 ] >> >> >> > -----Original Message----- >> > From: rsyslog [mailto:[email protected]] On Behalf Of >> > sophie.loewenthal--- via rsyslog >> > Sent: Monday, November 12, 2018 2:44 PM >> > To: rsyslog-users >> > Cc: LOEWENTHAL Sophie >> > Subject: [rsyslog] Ruleset : send to server over UDP instead of TCP >> > >> > Hi, >> > >> > Will this rule send the messages to the server over UDP or TCP? I >> would like this >> > to be UDP. >> > >> > # RuleSet >> > *.info { action (type="omelasticsearch" >> > server="el8" >> > serverport="10514" >> > searchIndex="unix" >> > bulkmode="on" >> > template="ElasticSearchTemplate" >> > name="el8-514-out" >> > queue.size="1024000" >> > queue.filename="el8-10514.queue" >> > queue.spoolDirectory="/soft/rsyslog/queues" >> > queue.maxdiskspace="512m" >> > queue.type="FixedArray" >> > queue.maxfilesize="20m" >> > queue.saveonshutdown="on" >> > queue.discardseverity="6" >> > Action.ResumeInterval="1" >> > Action.ResumeRetryCount="-1" >> > ) >> > } >> > >> > This page gives examples in the old format, but not for the new format: >> > https://www.rsyslog.com/doc/v8-stable/configuration/actions.html >> > >> > Best wishes, >> > Sophie >> > >> > This message and any attachments (the "message") is >> > intended solely for the intended addressees and is confidential. >> > If you receive this message in error,or are not the intended >> recipient(s), >> > please delete it and any copies from your systems and immediately notify >> > the sender. Any unauthorized view, use that does not comply with its >> purpose, >> > dissemination or disclosure, either whole or partial, is prohibited. >> Since the >> > internet >> > cannot guarantee the integrity of this message which may not be >> reliable, BNP >> > PARIBAS >> > (and its subsidiaries) shall not be liable for the message if modified, >> changed or >> > falsified. >> > Do not print this message unless it is necessary, consider the >> environment. >> > >> > >> -------------------------------------------------------------------------------------------------- >> > -------------------------------- >> > >> > Ce message et toutes les pieces jointes (ci-apres le "message") >> > sont etablis a l'intention exclusive de ses destinataires et sont >> confidentiels. >> > Si vous recevez ce message par erreur ou s'il ne vous est pas destine, >> > merci de le detruire ainsi que toute copie de votre systeme et d'en >> avertir >> > immediatement l'expediteur. Toute lecture non autorisee, toute >> utilisation de >> > ce message qui n'est pas conforme a sa destination, toute diffusion ou >> toute >> > publication, totale ou partielle, est interdite. L'Internet ne >> permettant pas >> > d'assurer >> > l'integrite de ce message electronique susceptible d'alteration, BNP >> Paribas >> > (et ses filiales) decline(nt) toute responsabilite au titre de ce >> message dans >> > l'hypothese >> > ou il aurait ete modifie, deforme ou falsifie. >> > N'imprimez ce message que si necessaire, pensez a l'environnement. >> > >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com/professional-services/ >> > What's up with rsyslog? Follow https://twitter.com/rgerhards >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> myriad of >> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T >> > LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
