...
Code Block |
---|
$ systemctl restart rsyslog |
Forwarding to Elasticsearch
Install rsyslog-elasticsearch
Code Block |
---|
$ apt-get install rsyslog-elasticsearch |
Add config file for elasticsearch
Code Block |
---|
$ vi /etc/rsyslog.d/10-rsyslog-elasticsearch.conf |
Code Block |
---|
module(load="omelasticsearch") # for outputting to Elasticsearch
# this is for index names to be like: logstash-YYYY.MM.wWW (where WW is the week number)
template(name="logstash-index"
type="list") {
constant(value="logstash-")
property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="4")
constant(value=".")
property(name="timereported" dateFormat="rfc3339" position.from="6" position.to="7")
constant(value=".w")
# here we use the week number to avoid creating lots of shards on Elasticsearch
property(name="timereported" dateFormat="week")
}
# permits to have the part after `/` in programname
global(parser.permitSlashInProgramName="on")
# this is for formatting our syslog in JSON with @timestamp
template(name="plain-syslog"
type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"programname\":\"") property(name="programname" format="json")
constant(value="\",\"procid\":\"") property(name="procid" format="json")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\"}")
}
# this is where we actually send the logs to Elasticsearch
action(server="127.0.0.1"
serverport="9200"
usehttps="off"
type="omelasticsearch"
template="plain-syslog"
errorfile="/tmp/rsyslog-elasticsearch-error.log"
searchIndex="logstash-index"
dynSearchIndex="on")
|
Restart
Code Block |
---|
$ systemctl restart rsyslog |
Check Status
Code Block |
---|
$ systemctl status rsyslog |