Hi Todd,
Thank you for your feedback letting me know this combination is
possible. Currently I do not have a rsyslog template setup. All I have
is the action line with the required elasticsearch server information.
I'll create a template and see if this helps.
-Jason
On 05/29/2013 12:52 PM, Todd Mortensen wrote:
> I am using the following and I see my data in kibana, I imported the
> logstash template into kibana.
>
> I would like to parse out more fields but it is a start.
>
> template(name="ElasticLogStash" type="string"
> string="{%timestamp:::date-rfc3339,jsonf:@timestamp
> %,%source:::jsonf:@source_host
> %,\"@source\":\"syslog://%fromhost-ip:::json%\",\"@message\":\"%msg:::json%\",\"@fields\":{%syslogfacility-text:::jsonf:facility%,%syslogseverity-text:::jsonf:severity%,%app-name:::jsonf:program%,%procid:::jsonf:processid%}}")
>
> # ES index name
> template(name="ESLSidx" type="string"
> string="logstash-%timereported:1:10:date-rfc3339%")
>
> action(name="Elastic" Template="ElasticLogStash" type="omelasticsearch"
> server="elasticsearch.example.org"
> searchIndex="ESLSidx"
> dynSearchIndex="on"
> bulkmode="on"
> queue.dequeuebatchsize="200"
> queue.type="linkedlist"
> queue.filename="elasticlsq"
> queue.highwatermark="500000"
> queue.lowwatermark="400000"
> queue.discardmark="5000000"
> queue.timeoutenqueue="0"
> queue.maxdiskspace="5g"
> queue.size="2000000"
> queue.saveonshutdown="on"
> action.resumeretrycount="-1")
>
> I do see strange results from pstats, but I have not had time to track
> down why it is reporting so many failed when I do see the data in
> elasticsearch.
>
>
> 2013-05-29T10:45:35.330398-07:00 central.example.org rsyslogd-pstats:
> elasticsearch: connfail=0 submits=6951573 failed=6963852 success=0
>
>
>
>
> On Wed, May 29, 2013 at 9:55 AM, Jason A. Johnson <[email protected]>wrote:
>
>> Hello,
>>
>> I'm currently working on a central logging solution which seems to be
>> working great. Rsyslog forwarding logs to the central logging server
>> which has been upgrade to version 7.2.7 and elasticsearch storing the
>> logs. Searching elasticsearch I can see that logs are being sent/stored.
>> However I would like to get the frontend working which is kibana 3. I'm
>> wondering if anyone has been able to get kibana 3 working with rsyslog
>> or could point me in the direction of what I would need to change on
>> kibnana side to have the logs visible. Logstash setting are the default
>> for kibana so it works out of the box. I have looked at the defaults for
>> kibana and the only difference I can see that needs to be updated is the
>> timestamps defaults index:
>>
>> "index": "[logstash-]YYYY.MM.DD" I have changed that to "system" which
>> is what shows up in elasticsearch when logs are forward from rsyslog to
>> be stored. However no logs are being displayed in kibnana.
>>
>> If someone has any idea what I'm missing would be hopeful.
>> Thank You,
>> Jason
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
