Versions Compared

Old Version 3

changes.mady.by.user John

Saved on

compared with

New Version 4

changes.mady.by.user John

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Docker Container

I decided to use use  a container from Allan Simon from the following git repo

https://github.com/allan-simon/docker-rsyslog-elasticsearch


Get the code

Code Block
$ git clone https://github.com/allan-simon/docker-rsyslog-elasticsearch


Revise the base container to use ubuntu:20.04

Code Block
titleDockerfile
FROM      ubuntu:20.04
# Install rsyslog and rsyslog-elasticsearch extensions. All in one
# go to reduce amount of layers.
RUN

Configure RSyslog to Export to Elasticsearch

vi /etc/rsyslog.conf

Code Block
#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#       apt-get -y update && \
          apt-get upgrade For more information see
#-y --no-install-recommends && \
          apt-get install -y --no-install-recommends \
          /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# Enable non-kernel facility klog messages
$KLogPermitNonKernelFacility on

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files insoftware-properties-common && \
          apt-get -y update && \
          apt-get -q -y --no-install-recommends install \
          rsyslog rsyslog-elasticsearch cron logrotate && \
          apt-get clean && \
          rm -rf /var/lib/apt/lists/* && \
          chown syslog /var/log

COPY      entrypoint.sh                  /
COPY      rsyslog.conf                   /etc/
COPY      rsyslog_elasticsearch.conf     /etc/rsyslog.d/
#
#$IncludeConfig /etc/rsyslog.d/*.conf


*.*     /var/log/messages

Restart Rsyslog

$ service rsyslog restart

Test

tail -f /var/log/messages

From another command prompt

logger "hi"

Utilities

COPY      rsyslog-rotate                 /usr/lib/rsyslog/rsyslog-rotate

ENTRYPOINT ["/entrypoint.sh"]
CMD ["-n"]


Build

Code Block
$ docker build -t jmehan/rsyslog .


Deploy

Code Block
languagebash
titlebuildDocker.sh
CONTAINER=rsyslog
IMAGE=jmehan/rsyslog

DIR=`pwd -P`

docker stop $CONTAINER
docker rm $CONTAINER
DIR=`pwd -P`

docker run --name $CONTAINER \
--restart=always \
-p 514:514/udp \
-p 514:514 \
-e ESLOG_HOST=192.168.1.50 \
-e ESLOG_ES_PORT=9200 \
-e ESLOG_ES_USE_HTTPS=off \
-d $IMAGE

docker logs -f $CONTAINER


Utilities

Send logs to RSyslog

...

Code Block
$ logger -n localhost 'log-P message514 from host'"hellow world"


References

ReferenceURL
Docker log driver syslog forward to Elasticsearchhttps://github.com/allan-simon/docker-rsyslog-elasticsearch
omelasticsearch: Elasticsearch Output Modulehttps://www.rsyslog.com/doc/v8-stable/configuration/modules/omelasticsearch.html

...